Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1467851
MD5:	86738dd73219b83320ba19af11c97e11
SHA1:	a18ae0b3abf1aabece29993b227eef15f8e055e1
SHA256:	6e517782e2e25b874ddf2861144e814309235517cf517890efff1a183c014b21
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 4460 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 86738DD73219B83320BA19AF11C97E11)

chrome.exe (PID: 3320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 522sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_90.3.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_90.3.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_82.3.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_90.3.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_90.3.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_90.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_90.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_90.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_90.3.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_90.3.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional/embedded?gl=kr
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/terms/location/embedded
Source: chromecache_90.3.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_v1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/get_family_link_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/get_family_link_dark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_fork_who_will_use_dark_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_fork_who_will_use_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_0.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_0.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/alreadyinstalledfamilylink.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/alreadyinstalledfamilylink_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/installfamilylink.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/installfamilylink_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_90.3.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_90.3.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_90.3.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_82.3.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_90.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_90.3.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_90.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: file.exe, 00000000.00000003.1904153023.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1894857261.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1894632529.000000000344E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1894738190.0000000003470000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1894835498.000000000349B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountKk
Source: file.exe, 00000000.00000002.1905751957.000000000351A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899311418.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903036536.0000000003512000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1896633819.00000000034F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountL
Source: file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account~fh~
Source: chromecache_90.3.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: chromecache_90.3.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 56337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56338
Source: unknown	Network traffic detected: HTTP traffic on port 56329 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56337
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56332 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 56338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56329
Source: unknown	Network traffic detected: HTTP traffic on port 56328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56331
Source: unknown	Network traffic detected: HTTP traffic on port 56326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56332
Source: unknown	Network traffic detected: HTTP traffic on port 56331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:56329 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0102EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0102ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0102EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0101AB9C

Source: file.exe, 00000000.00000003.1904153023.00000000034B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES

memstr_72fc316d-d

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01049576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01049576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4e0174f7-5
Source: file.exe, 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f1a7683e-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_41f31c69-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c2549626-d

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0101D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01011201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01011201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0101E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB8060	0_2_00FB8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01022046	0_2_01022046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01018298	0_2_01018298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEE4FF	0_2_00FEE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE676B	0_2_00FE676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01044873	0_2_01044873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBCAF0	0_2_00FBCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDCAA0	0_2_00FDCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCCC39	0_2_00FCCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE6DD9	0_2_00FE6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB91C0	0_2_00FB91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCB119	0_2_00FCB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD1394	0_2_00FD1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD1706	0_2_00FD1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD781B	0_2_00FD781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD19B0	0_2_00FD19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC997D	0_2_00FC997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB7920	0_2_00FB7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD7A4A	0_2_00FD7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD7CA7	0_2_00FD7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD1C77	0_2_00FD1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE9EEE	0_2_00FE9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103BE44	0_2_0103BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD1F32	0_2_00FD1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FD0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FCF9F2 appears 31 times

Source: file.exe, 00000000.00000003.1898866204.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEe vs file.exe
Source: file.exe, 00000000.00000003.1898969740.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEe vs file.exe
Source: file.exe, 00000000.00000002.1905630439.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildFileO vs file.exe
Source: file.exe, 00000000.00000002.1905630439.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuilds vs file.exe
Source: file.exe, 00000000.00000003.1904234778.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEe vs file.exe
Source: file.exe, 00000000.00000003.1899153658.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEV vs file.exe
Source: file.exe, 00000000.00000003.1899153658.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1904979098.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEe vs file.exe
Source: file.exe, 00000000.00000003.1898740453.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEV vs file.exe
Source: file.exe, 00000000.00000003.1898740453.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1899241065.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEe vs file.exe
Source: file.exe, 00000000.00000003.1895320112.0000000003381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildFileO vs file.exe
Source: file.exe, 00000000.00000003.1895320112.0000000003381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuilds vs file.exe
Source: file.exe, 00000000.00000002.1905871127.00000000038DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1898951060.0000000000B69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEV vs file.exe
Source: file.exe, 00000000.00000003.1898951060.0000000000B69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@33/32@10/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010237B5 GetLastError,FormatMessageW,

0_2_010237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010110BF AdjustTokenPrivileges,CloseHandle,		0_2_010110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0103A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0102648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FB42A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\6f4d0126-b89f-4a74-bbac-50c2eb2de7e2.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1166336 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD0A76 push ecx; ret

0_2_00FD0A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FCF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01041C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94856

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1439			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 906			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 1439 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0102698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010268EE FindFirstFileW,FindClose,	0_2_010268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0101D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0101D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0102979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01029642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01029B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0101DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01025C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01025C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: file.exe, 00000000.00000003.1896633819.00000000034F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-95354

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102EAA2 BlockInput,

0_2_0102EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FE2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00FD4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01010B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01010B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FD083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD09D5 SetUnhandledExceptionFilter,	0_2_00FD09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FD0C21

Source: C:\Users\user\Desktop\file.exe

0_2_01011201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FF2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101B226 SendInput,keybd_event,

0_2_0101B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101E355 mouse_event,

0_2_0101E355

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_01010B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01011663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01011663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD0698 cpuid

0_2_00FD0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01028195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01028195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100D27A GetUserNameW,

0_2_0100D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FEBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe, 00000000.00000003.1898662546.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01031204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01031204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01031806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01031806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	31 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Avira	TR/AutoIt.zstul
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://youtube.com/t/terms?gl=	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://policies.google.com/privacy/additional/embedded?gl=kr	0%	URL Reputation	safe
https://policies.google.com/terms/location/embedded	0%	URL Reputation	safe
https://www.youtube.com/t/terms?chromeless=1&hl=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe
https://www.google.com/intl/	0%	Avira URL Cloud	safe
https://www.youtube.com/account	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://play.google.com/log?format=json&hasfast=true	0%	Avira URL Cloud	safe
https://play.google.com/log?format=json&hasfast=true&authuser=0	0%	Avira URL Cloud	safe
https://www.youtube.com/accountKk	0%	Avira URL Cloud	safe
https://www.youtube.com/accountL	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
https://www.youtube.com/account~fh~	0%	Avira URL Cloud	safe
https://play.google.com/work/enroll?identifier=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	172.217.16.142	true	false	unknown
www3.l.google.com	142.250.184.238	true	false	unknown
play.google.com	142.250.185.206	true	false	unknown
www.google.com	142.250.185.164	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/account	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.youtube.com/accountKk	file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://play.google/intl/	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/location-data	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_90.3.dr	false	Avira URL Cloud: safe	unknown
https://apis.google.com/js/api.js	chromecache_82.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_90.3.dr	false	Avira URL Cloud: safe	unknown
https://policies.google.com/terms/service-specific	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_82.3.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_90.3.dr	false	Avira URL Cloud: safe	unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_90.3.dr	false	Avira URL Cloud: safe	unknown
https://policies.google.com/privacy/additional/embedded?gl=kr	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location/embedded	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?hl=	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://www.youtube.com/accountL	file.exe, 00000000.00000002.1905751957.000000000351A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899311418.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903036536.0000000003512000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1896633819.00000000034F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/account~fh~	file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_90.3.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_90.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	unknown	United States	15169	GOOGLEUS	false
142.250.185.206	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
142.250.184.238	www3.l.google.com	United States	15169	GOOGLEUS	false
172.217.16.142	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467851
Start date and time:	2024-07-04 22:19:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@33/32@10/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 44 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.131, 64.233.166.84, 216.58.206.46, 34.104.35.123, 142.250.181.227, 142.250.186.67, 142.250.185.138, 142.250.186.106, 172.217.16.138, 216.58.206.42, 142.250.185.74, 142.250.181.234, 142.250.185.202, 142.250.186.138, 142.250.186.42, 142.250.184.234, 142.250.184.202, 142.250.185.234, 172.217.16.202, 142.250.186.170, 142.250.185.170, 172.217.18.10, 142.250.186.74, 216.58.212.170, 172.217.18.106, 142.250.185.106, 216.58.206.74, 199.232.214.172, 192.229.221.95, 172.217.18.99, 74.125.71.84, 142.250.185.110
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://www.google.com/url?q=https://authitca-adobue-sign.us-ord-1.linodeobjects.com/apts.html&sa=D&source=editors&ust=1720118061448441&usg=AOvVaw1WUHTIwDQHQCe4Um2Fp0tG	Get hash	malicious	HTMLPhisher	Browse
	https://1drv.ms/b/c/76a2f2769a0f2d92/EVBBlcPr69hPlwB4teIJkR8BhOEwtE3haDg1sSdukRfZrw?e=geYoLr	Get hash	malicious	HTMLPhisher	Browse
	https://1drv.ms/b/c/76a2f2769a0f2d92/EVBBlcPr69hPlwB4teIJkR8BhOEwtE3haDg1sSdukRfZrw?e=geYoLr	Get hash	malicious	HTMLPhisher	Browse
	xJwSq336bs.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://chorbie.com/services/	Get hash	malicious	Unknown	Browse
	http://79.141.36.131	Get hash	malicious	Unknown	Browse
	https://share.mindmanager.com/#publish/mnPTcUqLfLnU6HRHMb6xC3qXYGZYU6tmBtOy3sS6	Get hash	malicious	HTMLPhisher	Browse
	hANEXOPDF.PDF40 234057.msi	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	xJwSq336bs.pdf	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://chorbie.com/services/	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	http://79.141.36.131	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	hANEXOPDF.PDF40 234057.msi	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	Invoice - 06736833774062515586349558087774116555577037575401 - Daiichi-sankyo.pdf	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	Zz3h8cOX1E.exe	Get hash	malicious	Quasar	Browse	13.85.23.86 184.28.90.27
	Zz3h8cOX1E.exe	Get hash	malicious	Quasar	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\9a540d1b-7348-4c8a-95a6-63efbd690371 (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	5079
Entropy (8bit):	7.883725314168873
Encrypted:	false
SSDEEP:	96:m3Rj1FQw9b3TTMDcQGkLWts3J6kS7EE9rwcDDaH9DRenBalWmpWTgINmJoQJtz7p:cfxTTMoALWt8J9crwcPaHp8nBalWvTgX
MD5:	A5F386FD0946F745852138225CE67BF7
SHA1:	E338C9CFDD7DFF42BF0BB0D74562ED1ECA106F52
SHA-256:	B0802D8AD3ECE9FED12A5F09662A914030A68B960D789DDBA75C103534043E33
SHA-512:	82BCEBF810237AA6011E0F3EBC6FE449CAB1BE699D542CEF60AA967E98433FEDB254DB64457CD76676A87766B652AFFE3B81B6D4C2DCDCDDEC832CD5693A17DA
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0.........:.2.W.))...I...5_U(I7nz...2[.;..H...S.../...nb%Yx.6.]i.....u...PDF.i.LJK.?....l.....R...\|...j...C..j!.%'..s....[."...Gy...=l)..=.l\....4..Q!$e.=...C.1.%d..B...K.[.l,.....7......y...$7J..G&TT..W.-=jgs[...&.@/.j$....+...yk\|l^..Km)\Y..x..}OCXf.....A5s.7..8..o....L..(p[...^e......?&X..:~,.)..C..n...Hh.....<..N..0.....woa6....'&y....tH..7@..a.t.....F..YQU......<......m!..^.#f.'F".....lt..97U3f...WM....]Lw...)..x...)..Hy Z...l.a.)J~'.y.o.NS.#.,6.D.9UMW..l>.pa.WG.^..L,..B...."p.Y.....<............y.x...2LP.n9O.y.$M..f..J....E../..b..=1n.9..&Z...A.h&1. ...'\|..{f..h../@.....6}L..^.k.k9.i..T.0...0.-:.N.\..O..J......y...t&.Z.]....-.%.J%...! o...jG ..7.p...!.=K..A"...../.....j=Sv....$.....t..........6.....I..$1.q..5..H....w.wDs.;......@.9.j...44&.<....5.7............:<.y.:....9V;.....O...c.q.]fC.3._..f........`,%oO........[&.L...$..xD.Ru......a.>I.B.....l..d....J...r..`......I.Rn\-_%-.#0...b]d...~4

C:\Users\user\Downloads\6f4d0126-b89f-4a74-bbac-50c2eb2de7e2.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	5079
Entropy (8bit):	7.883725314168873
Encrypted:	false
SSDEEP:	96:m3Rj1FQw9b3TTMDcQGkLWts3J6kS7EE9rwcDDaH9DRenBalWmpWTgINmJoQJtz7p:cfxTTMoALWt8J9crwcPaHp8nBalWvTgX
MD5:	A5F386FD0946F745852138225CE67BF7
SHA1:	E338C9CFDD7DFF42BF0BB0D74562ED1ECA106F52
SHA-256:	B0802D8AD3ECE9FED12A5F09662A914030A68B960D789DDBA75C103534043E33
SHA-512:	82BCEBF810237AA6011E0F3EBC6FE449CAB1BE699D542CEF60AA967E98433FEDB254DB64457CD76676A87766B652AFFE3B81B6D4C2DCDCDDEC832CD5693A17DA
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0.........:.2.W.))...I...5_U(I7nz...2[.;..H...S.../...nb%Yx.6.]i.....u...PDF.i.LJK.?....l.....R...\|...j...C..j!.%'..s....[."...Gy...=l)..=.l\....4..Q!$e.=...C.1.%d..B...K.[.l,.....7......y...$7J..G&TT..W.-=jgs[...&.@/.j$....+...yk\|l^..Km)\Y..x..}OCXf.....A5s.7..8..o....L..(p[...^e......?&X..:~,.)..C..n...Hh.....<..N..0.....woa6....'&y....tH..7@..a.t.....F..YQU......<......m!..^.#f.'F".....lt..97U3f...WM....]Lw...)..x...)..Hy Z...l.a.)J~'.y.o.NS.#.,6.D.9UMW..l>.pa.WG.^..L,..B...."p.Y.....<............y.x...2LP.n9O.y.$M..f..J....E../..b..=1n.9..&Z...A.h&1. ...'\|..{f..h../@.....6}L..^.k.k9.i..T.0...0.-:.N.\..O..J......y...t&.Z.]....-.%.J%...! o...jG ..7.p...!.=K..A"...../.....j=Sv....$.....t..........6.....I..$1.q..5..H....w.wDs.;......@.9.j...44&.<....5.7............:<.y.:....9V;.....O...c.q.]fC.3._..f........`,%oO........[&.L...$..xD.Ru......a.>I.B.....l..d....J...r..`......I.Rn\-_%-.#0...b]d...~4

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (405)
Category:	downloaded
Size (bytes):	1600
Entropy (8bit):	5.234706685474562
Encrypted:	false
SSDEEP:	48:o79bWW+d1xb0KeRV8YtQy0aqdHgxbaQ77DfTBpbrw:oAB6KOVddbqSnLzw
MD5:	777F1FD23230384A286E78C5ACD6AC33
SHA1:	CC33BAC75FDD7CE9AD535CBCEAD5C91D974DF975
SHA-256:	277C957E852CD541B5D6D50B9A1CC3E6E6120DC704B529AADDA0171367557D98
SHA-512:	F785634C17C38826894B2D0D4363C26110418A9160AB36ACDFF2E6B76A2E07D32DD1BDA3D2D0F4D9BE3254DB834EB808FEA392A95B224AB5B94B429E69EBD1F0
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,VwDzFe,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.xf(_.mja);_.ew=function(a){_.J.call(this,a.Fa);this.aa=a.ab.cache};_.B(_.ew,_.J);_.ew.Na=_.J.Na;_.ew.Ba=function(){return{ab:{cache:_.mp}}};_.ew.prototype.execute=function(a){_.kb(a,function(b){var c;_.oe(b)&&(c=b.eb.Qb(b.jb));c&&this.aa.FD(c)},this);return{}};_.Pq(_.Hja,_.ew);._.l();._.k("VwDzFe");.var IE=function(a){_.J.call(this,a.Fa);this.aa=a.Da.Pj;this.ea=a.Da.metadata;this.da=a.Da.Zq};_.B(IE,_.J);IE.Na=_.J.Na;IE.Ba=function(){return{Da:{Pj:_.iE,metadata:_.FWa,Zq:_.fE}}};IE.prototype.execute=function(a){var b=this;a=this.da.create(a);return _.kb(a,function(c){var d=b.ea.getType(c.Hd())===2?b.aa.Vb(c):b.aa.aa(c);return _.Lj(c,_.jE)?d.then(function(e){return _.gd(e)}):d},this)};_.Pq(_.Mja,IE);._.l();._.k("sP4Vbe");._.EWa=new _.Ce(_.Ija);._.l();._.k("A7fCU");.var nE=function(a){_.J.call(this,a.Fa);this.aa=a.Da.lM};_.B(nE,_.J);nE.Na=_.J.Na;nE.Ba=function(){r

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (777)
Category:	downloaded
Size (bytes):	1481
Entropy (8bit):	5.316577802144649
Encrypted:	false
SSDEEP:	24:kMYD7xmEu0IvxqcNzoYcurO/qb99nyobhzWuNA+CkadpUGbX7MNa4VGbwCSF57M8:o7xmR0I5kc7b91xbf0dpUGbYNa4VGbwl
MD5:	FC2DC9D5B7292B603D399F3E3046665B
SHA1:	92D25D672FDDD209D97ED306541CE686B6FD51CE
SHA-256:	614049A345B7E332826D74B79163DF74EDDE93CA1A661EE468352D4E5F94574C
SHA-512:	7348DBAF2A5A1FC87E3017B9E504EF22A3EBA65EC6FD255DD127DB78384B56B80A101BE9101F5BADBA4717FBE460C6A8DBE07DBA5F918413BE36EF0D88716C50
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=bm51tf"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("kMFpHd");._.FWa=new _.Ce(_.Kk);._.l();._.k("bm51tf");.var IWa=!!(_.$f[0]>>26&1);var KWa=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ja=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=JWa(this)},LWa=function(a){var b={};_.Ma(a.xO(),function(e){b[e]=!0});var c=a.jO(),d=a.pO();return new KWa(a.dL(),c.aa()1E3,a.NN(),d.aa()1E3,b)},JWa=function(a){return Math.random()Math.min(a.waMath.pow(a.ja,a.aa),a.Ca)},oE=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var pE=function(a){_.J.call(this,a.Fa);this.Jc=null;this.ea=a.Da.sR;this.ja=a.Da.metadata;a=a.Da.Faa;this.da=a.ea.bind(a)};_.B(pE,_.J);pE.Na=_.J.Na;pE.Ba=function(){return{Da:{sR:_.GWa,metadata:_.FWa,Faa:_.zWa}}};pE.prototype.aa=function(a,b){if(this.ja.getType(a.Hd())!=1)return _.Vk(a);var c=this.ea.aa;return(c=c?LWa(c):null)&&oE(c)?_.Aua(a,MWa(this,a,b,c)):_.Vk(a)};.var MWa=function(a,b,c,d){return c.then(function(e)

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (574)
Category:	downloaded
Size (bytes):	3477
Entropy (8bit):	5.499342889552936
Encrypted:	false
SSDEEP:	96:oIByrBKfKVHcikUJFtlPMETAKv78pUCCjIw:INKS/vP3hv7mUbZ
MD5:	E18219F32F2747C14548BCFEE58B13CD
SHA1:	85307A7D3376A623245EB21D245B8BC4FA481908
SHA-256:	6479CFCD0C8840DD31DA0C55F596BDA37C28074517B5F063F5A5830EC27D0280
SHA-512:	EFE83897B3C1EE154EA3C14B3FFB4C242C065303F3F5A3DFA3E6E26C154B44509FE8E580D2402553CCDFABACEDD3F000FAC9171E861BBF22E6D56C5A6355CF47
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var jua=function(){var a=_.ge();return _.Bi(a,1)};var wq=function(a){this.Ea=_.t(a,0,wq.messageId)};_.B(wq,_.v);wq.prototype.Ha=function(){return _.ti(this,1)};wq.prototype.Za=function(a){return _.Ki(this,1,a)};wq.messageId="f.bo";var xq=function(){_.Fk.call(this)};_.B(xq,_.Fk);xq.prototype.Yc=function(){this.BP=!1;kua(this);_.Fk.prototype.Yc.call(this)};xq.prototype.aa=function(){lua(this);if(this.nA)return mua(this),!1;if(!this.xR)return yq(this),!0;this.dispatchEvent("p");if(!this.hL)return yq(this),!0;this.fJ?(this.dispatchEvent("r"),yq(this)):mua(this);return!1};.var nua=function(a){var b=new _.An(a.J0);a.iM!=null&&_.Ml(b,"authuser",a.iM);return b},mua=function(a){a.nA=!0;var b=nua(a),c="rt=r&f_uid="+_.Sg(a.hL);_.jl(b,(0,_.vf)(a.ea,a),"POST",c)};.xq.prototype.ea=function(a){a=a.target;lua(this);if(_.ml(a)){this.hH=0;if(this.fJ)this.nA=!1,this.dispatchEvent

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	30637
Entropy (8bit):	5.379716376439597
Encrypted:	false
SSDEEP:	768:ciVQqn5YPB1v2C82vd9BvjT4spXo6PVS+B3BWvJB6VSiV:cYYn2CzBvjT4GHPD00V
MD5:	1522EC1FD2855DE971E2341EA0A137BB
SHA1:	2E7564BBD084594968A105D2EBA5053A69F51F48
SHA-256:	B942FFA89D4E8337AE16D76A6D571DC0652D28D179D5B1BE9456D6967431FAEA
SHA-512:	5D35B151BE7A2D0D46E326A058622DF12FAE12687F0BC78C3E89CC1F65BC9043FEBE513FFAEF812BCEAB340F27EB16642545AE7AED4FAB1C820F9A76E2CC8619
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Bqa=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.An("//www.google.com/images/cleardot.gif");_.Ln(c)}this.ja=c};_.h=Bqa.prototype;_.h.Jc=null;_.h.UU=1E4;_.h.Nx=!1;_.h.fM=0;_.h.pG=null;_.h.QQ=null;_.h.setTimeout=function(a){this.UU=a};_.h.start=function(){if(this.Nx)throw Error("lb");this.Nx=!0;this.fM=0;Cqa(this)};_.h.stop=function(){Dqa(this);this.Nx=!1};.var Cqa=function(a){a.fM++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.Ik((0,_.vf)(a.dE,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.vf)(a.tda,a),a.aa.onerror=(0,_.vf)(a.sda,a),a.aa.onabort=(0,_.vf)(a.rda,a),a.pG=_.Ik(a.uda,a.UU,a),a.aa.src=String(a.ja))};_.h=Bqa.prototype;_.h.tda=function(){this.dE(!0)};_.h.sda=function(){this.dE(!1)};_.h.rda=function(){this.dE(!1)};_.h.uda=function(){this.dE(!1)};._.h.dE=function(a){Dqa(this);a?(this.Nx=!1,this.da.call(this.ea,!0)):this.fM<=0?Cqa(this):(this.Nx=!1,

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2362)
Category:	downloaded
Size (bytes):	233234
Entropy (8bit):	5.461099651008011
Encrypted:	false
SSDEEP:	3072:WSX0CBd2Buj8T4HvzoHfKxTadov0roCsu29d4XB:WA0CBd2BhT4EHS8rYEXB
MD5:	E7BF0144402B0EEFC94CCABCC21AA844
SHA1:	A2F60F7DBEC6AD86213569F6378416F9D30BFDD2
SHA-256:	0E5B31C3E9572181BA1E2636C6F00D35C8B4CD175926AD98290A3C7DD326CD9B
SHA-512:	1BA90D5B5CB8573FA7A9FC77C1FBC3E48F7D20F47C5839226E2432B1B054A25C00F5549245DFC5C5666EA0456E5DFE25D0D5829D9B84B61E0FD1164DFC60A026
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlH54BG8v8nODFaRpPlVprlo7CMoqA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x818601e, 0x51ce74, 0x739cf10, 0xa500f8, 0x321, 0x0, 0x19680000, 0xcc80, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT./.var baa,eaa,haa,laa,Va,Xa,Ya,maa,naa,Za,oaa,paa,qaa,db,vaa,yaa,vb,wb,zb,Iaa,Kaa,Oaa,Wb,Xb,Qaa,Raa,Waa,dba,eba,iba,lba,fba,kba,jba,hba,gba,mba,pc,rba,sba,pba,tba,xba,yba,zba,Dba,Eba,Fba,Gba,Hba,Kba,Xc,Nba,Mba,Pba,ad,Zc,Rba,Qba,Uba,Tba,dd,Xba,Yba,aca,bca,nd,dca,eca,Ed,md,rd,rca,oca,sca,tca,wca,yca,zca,mca,Lca,he,Nca,ie,Oca,Qca,Sca,Wca,Xca,Yca,Zca,bda,dda,kda,lda,mda,qda,zda,vda,Cda,$e,Fda,Gda,Hda,Kda,Mda,Pda,Qda,Rda,Sda,Tda,Wda,Xda,Yda,dea,fea,gea,hea

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (687)
Category:	downloaded
Size (bytes):	4140
Entropy (8bit):	5.371702264924607
Encrypted:	false
SSDEEP:	96:GPWUbFMvF/ygbQgs8qUoaCyPj8LvUe8tOFw:SWIF1R8qUVCywzzgt
MD5:	7DD911B1022E2F37811F8AAEEB74862E
SHA1:	36F79706B7E839CFF0DE16EE9CC7B026EE5019A2
SHA-256:	DD48C9475C9D2B02ED29382E9DD32791D671004BB217DB0B0F6750DA3011CD66
SHA-512:	03996AD04C65D47A9C364C63AEBCB3F58F41CCCE4DAD70840316853BEF2967A38797744FE62BFFF418B799EC71476DC6B49CFE3053F2B9BEBE62CF5A30EA7847
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.xf(_.Joa);._.k("sOXFj");.var Wq=function(a){_.J.call(this,a.Fa)};_.B(Wq,_.J);Wq.Na=_.J.Na;Wq.Ba=_.J.Ba;Wq.prototype.aa=function(a){return a()};_.Pq(_.Ioa,Wq);._.l();._.k("oGtAuc");._.Dua=new _.Ce(_.Joa);._.l();._.k("q0xTif");.var Bva=function(a){var b=function(d){_.Wl(d)&&(_.Wl(d).Cc=null,_.ir(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},ur=function(a){_.up.call(this,a.Fa);this.Pa=this.dom=null;if(this.Ei()){var b=_.qk(this.Of(),[_.Ok,_.Nk]);b=_.vh([b[_.Ok],b[_.Nk]]).then(function(c){this.Pa=c[0];this.dom=c[1]},null,this);_.Jq(this,b)}this.Oa=a.Ih.Y8};_.B(ur,_.up);ur.Ba=function(){return{Ih:{Y8:function(){return _.nf(this)}}}};ur.prototype.getContext=function(a){return this.Oa.getContext(a)};.ur.prototype.getData=function(a){return this.Oa.getData(a)};ur.protot

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (777)
Category:	downloaded
Size (bytes):	7624
Entropy (8bit):	5.356859202879639
Encrypted:	false
SSDEEP:	192:mnwTgK8AwrKbbW8UFBlkU+/IrlQFsq1o98fYlp2PDYGym4nV9U:9ZwrKbaV/38xW8jn
MD5:	23ED78C00699D0EF97404A3901525DD3
SHA1:	09125039F07B8B3DE33761BFEBB4E0754AEA6738
SHA-256:	B21A2E0BD7B733D42DB2FBC676E0710D00CF95491967ED46C8A204605DBFDA29
SHA-512:	22AE4F4142F19399EE8C5ACF4EED70F9D91C41E3BB138522F340684CBA2C4E1FFF5233950DC9328861F79970ACABE2F5A28B396392AA72AD1A92429D61425D67
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.ENa=_.y("wg1P6b",[_.Nx,_.Hl,_.Ol]);._.k("wg1P6b");.var K2a=function(a,b){b=b\|\|_.Ha;for(var c=0,d=a.length,e;c<d;){var f=c+(d-c>>>1);var g=b(0,a[f]);g>0?c=f+1:(d=f,e=!g)}return e?c:-c-1},L2a=function(a,b){for(;b=b.previousSibling;)if(b==a)return-1;return 1},M2a=function(a,b){var c=a.parentNode;if(c==b)return-1;for(;b.parentNode!=c;)b=b.parentNode;return L2a(b,a)},N2a=function(a,b){if(a==b)return 0;if(a.compareDocumentPosition)return a.compareDocumentPosition(b)&2?1:-1;if("sourceIndex"in a\|\|a.parentNode&&"sourceIndex"in a.parentNode){var c=a.nodeType==.1,d=b.nodeType==1;if(c&&d)return a.sourceIndex-b.sourceIndex;var e=a.parentNode,f=b.parentNode;return e==f?L2a(a,b):!c&&_.lh(e,b)?-1*M2a(a,b):!d&&_.lh(f,a)?M2a(b,a):(c?a.sourceIndex:e.sourceIndex)-(d?b.sourceIndex:f.sourceIndex)}d=_.ah(a);c=d.createRange();c.selectNode(a);c.collapse(!0);a=d.createRange();a.selectNode(b);a.colla

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (467)
Category:	downloaded
Size (bytes):	1884
Entropy (8bit):	5.280363294341128
Encrypted:	false
SSDEEP:	48:o74b7AJ0qbL3AUFQp9/j7kOXTf43Z/rm7ZbZrw:oKFSLrFw/3FXjaeZbVw
MD5:	6759666E5C2624986C2FBE9208D39C80
SHA1:	4732C0CE332CEED1414CD2A6D4BEBEFD06A59115
SHA-256:	C0F98E792B9160E018D61998788E81396C68FB14E058C168E538A9AD6167533F
SHA-512:	BCF00B74425A487A6F378FDEBAE1591E1FF6EF50B065850182ADDF239FFDBBA1882E96EF54775AB490CC4F4342337AA9E01286F85424856836082B33866FA26D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.DY=function(a){_.J.call(this,a.Fa);this.window=a.Da.window.get();this.Dc=a.Da.Dc};_.B(_.DY,_.J);_.DY.Na=_.J.Na;_.DY.Ba=function(){return{Da:{window:_.Tq,Dc:_.mC}}};_.DY.prototype.wo=function(){};_.DY.prototype.addEncryptionRecoveryMethod=function(){};_.EY=function(a){return(a==null?void 0:a.Bq)\|\|function(){}};_.FY=function(a){return(a==null?void 0:a.vda)\|\|function(){}};_.GY=function(a){return(a==null?void 0:a.oo)\|\|function(){}};._.IDb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.JDb=function(a){setTimeout(function(){throw a;},0)};_.DY.prototype.lK=function(){return!0};_.Pq(_.Fl,_.DY);._.l();._.k("ziXSP");.var eZ=function(a){_.DY.call(this,a.Fa)};_.B(eZ,_.DY);eZ.Na=_.DY.Na;eZ.Ba=_.DY.Ba;eZ.prototype.wo=function(a,b,c){var d;

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (4478)
Category:	downloaded
Size (bytes):	19418
Entropy (8bit):	5.379195390856238
Encrypted:	false
SSDEEP:	384:gJEePjmMfOH3Qm45RAGSeIMPW2NYZvnXYv3HAEfqwuhU3p9uj9QtJg:oROXQm456AYZvoPhfVIUSj9QtJg
MD5:	9CE9445F24BFC74018956880D606553C
SHA1:	ECF89E11E2091ACB1AF6735C9AF94AB19984F602
SHA-256:	797EF136123058C1D54A0AE365896D4E56FB3D84E83D60EF840D16BBAD8AC6BB
SHA-512:	7B25B6EB9B03A2118AE112AE00E774CBD9928DF69F49DA762D88255F30533CD3E6F576C82F0220FC393FA5E08544188ED210135CE17FB03B76505BF03F48A9BE
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var HDa=_.ca.URL,IDa,JDa,LDa,KDa;try{new HDa("http://example.com"),IDa=!0}catch(a){IDa=!1}JDa=IDa;.LDa=function(a){var b=_.hh("A");try{_.Jb(b,new _.xb(a));var c=b.protocol}catch(e){throw Error("qc`"+a);}if(c===""\|\|c===":"\|\|c[c.length-1]!=":")throw Error("qc`"+a);if(!KDa.has(c))throw Error("qc`"+a);if(!b.hostname)throw Error("qc`"+a);var d=b.href;a={href:d,protocol:b.protocol,username:"",password:"",hostname:b.hostname,pathname:"/"+b.pathname,search:b.search,hash:b.hash,toString:function(){return d}};KDa.get(b.protocol)===b.port?(a.host=a.hostname,a.port="",a.origin=a.protocol+"//"+a.hostname):.(a.host=b.host,a.port=b.port,a.origin=a.protocol+"//"+a.hostname+":"+a.port);return a};._.MDa=function(a){if(JDa){try{var b=new HDa(a)}catch(d){throw Error("qc`"+a);}var c=KDa.get(b.protocol);if(!c)throw Error("qc`"+a);if(!b.hostname)throw Error("qc`"+a);b.origin=="null"&&(a={href:b.hre

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1192)
Category:	downloaded
Size (bytes):	96558
Entropy (8bit):	5.542959034430961
Encrypted:	false
SSDEEP:	1536:h5K9QgDoJZFMZZMR3Du4JnSyg/FyO7D4yQFPA0tEFHvnAwDyHK:K9rYFjDu4Jnzg/AO7hWPA0tE9vGHK
MD5:	E020446EC64C78D8127C8E4D0C8D08DB
SHA1:	6447A74183CD590FAB25C008E60F838D09BF12E1
SHA-256:	32779135C0EC086DA69B2DC597A8620CAEE8E104E079B5A02D98A8676712577E
SHA-512:	08348FAF64E033574D45446D75B8DFA01EE111C0FEE508ECE2E685C7C4986B833594279BD681E5DA2A02C5FB27DF039DF7E9751BB63A115AF4D3BB0688EA7659
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=AvtSve,CMcBD,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,eVCnO,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qmdT9,r1n9ec,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,qPfo0c,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ltDFwf");.var jxb=_.y("ltDFwf");var CU=function(a){_.K.call(this,a.Fa);var b=this.oa();this.xb=this.Sa("P1ekSe");this.mb=this.Sa("cQwEuf");this.da=b.getData("progressvalue").number(0);this.ja=b.getData("buffervalue").number(1);this.Ca=b.Cb("B6Vhqe");this.Oa=b.Cb("juhVM");this.wa=b.Cb("D6TUi");this.aa=b.Cb("qdulke");this.La=this.da!==0;this.Ka=this.ja!==1;this.Ga=[];this.ea=_.is(this).Vb(function(){this.Ga.length&&(this.Ga.forEach(this.g$,this),this.Ga=[]);this.La&&(this.La=!1,this.xb.rb("transform","scaleX("+this.da+")"));this.Ka&&.(this.Ka=!1,this.mb.rb("transform","scaleX("+this.ja+")"));_.er(b,"B6Vhqe",this.Ca);_.er(b,"D6TUi",this.wa);_.er(b,"juhVM",this.Oa);_.er(b,"qdulke",this.aa)}).build();this.ea();_.Fg&&_.is(this).Vb(function(){b.tb("ieri7c")}).Fe().build()();_.bA(this.oa().el(),this.Ta.bind(this))};_.B(CU,_.K);CU.Ba=_.K.Ba;.CU.prototype.Ta=function(a,b){kxb(this

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (693)
Category:	downloaded
Size (bytes):	3143
Entropy (8bit):	5.37079395351489
Encrypted:	false
SSDEEP:	48:o7gbuQLkZHPLbrzOw3KP757NQ8jsKyYqb6f4np/EkGuf/x06IZ2rw:orQGXJaT57OMNwp/kufJRgqw
MD5:	DB38B407EAF251C03254DA070DF97E29
SHA1:	440A9FE061A55A3C2E20FC8D5421CB89B691C4D5
SHA-256:	7071B6E12C5D15142A9D5EF16103678A3038B6D8FFDCDCE248C9E26B9D4D0E81
SHA-512:	B99B5DDA32BACF2C79CB23FFD9EC624AD678243C6DBEC19409C298C09486E8F38F31AD658A23BC9D5E249E7D906BA66C303EA3B84F63FD6B053CF588B718F377
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,F6sNGb,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,lRrMHd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,r1n9ec,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gw=function(a){_.J.call(this,a.Fa)};_.B(gw,_.J);gw.Na=_.J.Na;gw.Ba=_.J.Ba;gw.prototype.aO=function(a){return _.qe(this,{ab:{hP:_.zj}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.sh(function(e){window._wjdc=function(f){d(f);e(EFa(f,b,a))}}):EFa(c,b,a)})};var EFa=function(a,b,c){return(a=a&&a[c])?a:b.ab.hP.aO(c)};.gw.prototype.aa=function(a,b){var c=_.Vta(b).Fi;if(c.startsWith("$")){var d=_.Zl.get(a);_.$p[b]&&(d\|\|(d={},_.Zl.set(a,d)),d[c]=_.$p[b],delete _.$p[b],_.aq--);if(d)if(a=d[c])b=_.pe(a);else throw Error("Xb`"+b);else b=null}else b=null;return b};_.Pq(_.mea,gw);._.l();._.k("SNUn3");._.DFa=new _.Ce(_.yf);._.l();._.k("RMhBfe");.var FFa=function(a,b){a=_.msa(a,b);return a.length==0?null:a[0].ctor},GFa=function(){return Object.values(_.Yo).reduce(function(a,b){return a+Object.keys(b).length},0)},HFa=function(){return Object.entries

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	44
Entropy (8bit):	4.453416561671607
Encrypted:	false
SSDEEP:	3:8VKJmQcwVbF7KnZ:BJmjwVbF7KZ
MD5:	491DC96011445194971CFAE6A7A0B191
SHA1:	74BD675A8CBC8AF507C0EB5509727EA3F9B85060
SHA-256:	C3BA6FCBB38A83C87009DEE4BAB93A9B3274553128D77E5B2C04077ECD35C1D3
SHA-512:	38356EF67B6B704F2129828299E516B04B29EA1EEB25CF356E22E3AFEC7A875E2187F70E9E7CF0467DEFA14F11D802ACF00D69B2B13EFEA025942E21383AC35E
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Ch8KBw0ZARP6GgAKCw3oIX6GGgQISxgCCgcN05ioBxoA

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (44533)
Category:	downloaded
Size (bytes):	836241
Entropy (8bit):	5.751370782507753
Encrypted:	false
SSDEEP:	6144:PLTYSPd+lWTqKZF8hmDrIMmqu3+jgX0BWj4+X+bW1wp8S+lo:PLTYSF+lWTASNjGXLC9
MD5:	775F8A77AAE74DB7478D5EDADF67460A
SHA1:	740A72415AC75C2F1E08654386BC7B1B5E21BC5C
SHA-256:	01917BB57EA57B80D14AD3FACD6560106AA6935A26077C0AD13BF460751D8A65
SHA-512:	E8FFE4E59CC021EB2DC32B7050922BA61EC75A17C40245F399AE4064BBCD2029DA014E5D33D44F8447120DA2727ACC55DB6838A75563F6E7C276462907F92679
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.ZU1EFvXsC20.es5.O/ck=boq-identity.AccountsSignInUi.DDD9SPcAL2k.L.B1.O/am=HmAYCJ1zFADxnHPgA5QCIQMAAAAAAAAAgJYBMgM/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEfiLuEnjxYrdf-rk4qPrRacOxopQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:F6sNGb;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,STuCOe,njlZCf,m9oV,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,lRrMHd,xBaz7b,F6sNGb,eVCnO,r1n9ec,LDQI"
Preview:	"use strict";_F_installCss(".VfPpkd-Sx9Kwc .VfPpkd-P5QLlc{background-color:#fff;background-color:var(--mdc-theme-surface,#fff)}.VfPpkd-Sx9Kwc .VfPpkd-IE5DDf,.VfPpkd-Sx9Kwc .VfPpkd-P5QLlc-GGAcbc{background-color:rgba(0,0,0,.32)}.VfPpkd-Sx9Kwc .VfPpkd-k2Wrsb{color:rgba(0,0,0,.87)}.VfPpkd-Sx9Kwc .VfPpkd-cnG4Wd{color:rgba(0,0,0,.6)}.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub{color:#000;color:var(--mdc-theme-on-surface,#000)}.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub .VfPpkd-Bz112c-Jh9lGc::before,.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub .VfPpkd-Bz112c-Jh9lGc::after{background-color:#000;background-color:var(--mdc-ripple-color,var(--mdc-theme-on-surface,#000))}.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub:hover .VfPpkd-Bz112c-Jh9lGc::before,.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub.VfPpkd-ksKsZd-XxIAqe-OWXEXe-ZmdkE .VfPpkd-Bz112c-Jh9lGc::before{opacity:.04;opacity:var(--mdc-ripple-hover-opacity,.04)}.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub.VfPpkd-ksKsZd-mWPk3d-OWXEXe-AHe6Kc-XpnDCe .VfPpkd-Bz112c-Jh9lGc::before,.VfPpkd-Sx9Kwc .VfPpkd-zMU9ub:not(.VfPpkd-ksKsZd-mWPk3d):

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.035566206169367
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'166'336 bytes
MD5:	86738dd73219b83320ba19af11c97e11
SHA1:	a18ae0b3abf1aabece29993b227eef15f8e055e1
SHA256:	6e517782e2e25b874ddf2861144e814309235517cf517890efff1a183c014b21
SHA512:	45150d8ddc155c52fde993b308d79bd5fb57c835339de9bee7e98a7a035a79ac947d8ecab8bbd2873b4ba75b3a6a5956769a234c929c183b7fdf1284ce08e3ae
SSDEEP:	24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8auA2+b+HdiJUX:1TvC/MTQYxsWR7auA2+b+HoJU
TLSH:	DC45BF027391C062FF9B92734F5AF6115BBC69260123E61F13981DBABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6686FFF0 [Thu Jul 4 20:02:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F14C8DE69B3h
jmp 00007F14C8DE62BFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F14C8DE649Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F14C8DE646Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F14C8DE905Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F14C8DE90A8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F14C8DE9091h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4617c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11b000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x4617c	0x46200	910b017b132d2151dab95bc6165504b0	False	0.9065877061051694	data	7.844101244228603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11b000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3d444	data			1.0003427004797807
RT_GROUP_ICON	0x119bfc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x119c74	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x119c88	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x119c9c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x119cb0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x119d8c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 22:19:50.393897057 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 4, 2024 22:19:54.986323118 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:54.986329079 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:54.986390114 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:54.991180897 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:54.991190910 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.649049997 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.649252892 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.649281979 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.649691105 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.649746895 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.650414944 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.650463104 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.651895046 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.651962996 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.652025938 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.652034998 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.692559004 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.969230890 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.969249010 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.969295979 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.969309092 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.969351053 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:55.969392061 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.972660065 CEST	49732	443	192.168.2.4	172.217.16.142
Jul 4, 2024 22:19:55.972665071 CEST	443	49732	172.217.16.142	192.168.2.4
Jul 4, 2024 22:19:59.391885996 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:19:59.391935110 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:19:59.392004013 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:19:59.392290115 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:19:59.392306089 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:19:59.996157885 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 4, 2024 22:20:00.064505100 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:00.065212011 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:00.065223932 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:00.066239119 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:00.066306114 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:00.067249060 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:00.067306042 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:00.110758066 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:00.110789061 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:00.110994101 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:00.112955093 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:00.112967968 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:00.120867014 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:00.120874882 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:00.173435926 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:00.768338919 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:00.768425941 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:00.771887064 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:00.771897078 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:00.772139072 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:00.807058096 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:00.852514029 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.042798996 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.042859077 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.042903900 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.042927980 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.042934895 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.042946100 CEST	49747	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.042951107 CEST	443	49747	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.098205090 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.098247051 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.098326921 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.098704100 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.098722935 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.755397081 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.755501032 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.761673927 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.761683941 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.761934996 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:01.763036966 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:01.804500103 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:02.035481930 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:02.035563946 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:02.036076069 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:02.041318893 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:02.041332006 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:02.041348934 CEST	49748	443	192.168.2.4	184.28.90.27
Jul 4, 2024 22:20:02.041356087 CEST	443	49748	184.28.90.27	192.168.2.4
Jul 4, 2024 22:20:02.866408110 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:02.866441011 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:02.866503000 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:02.866739988 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:02.866753101 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.542907000 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.543133974 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.543147087 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.543571949 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.543625116 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.544295073 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.544354916 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.549899101 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.549979925 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.550079107 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.550093889 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.595163107 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.875410080 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.875482082 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.875536919 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.875658989 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.875658989 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.875678062 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.882083893 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.882143974 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.882152081 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.888617039 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.888665915 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.888669014 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.888683081 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.888717890 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.894083977 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.894157887 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.897089958 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:03.897114992 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:03.897185087 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:03.897393942 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:03.897408009 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:03.901657104 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.901699066 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.901727915 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.901736021 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.901776075 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.951622009 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:03.951668024 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:03.951723099 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:03.952178955 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:03.952192068 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:03.968771935 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.968825102 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.968859911 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.968950987 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.968950987 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.968965054 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.970520973 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.970558882 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.970582008 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.970591068 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.970632076 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.977461100 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.977525949 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.983969927 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.984038115 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.984069109 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.990413904 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:03.990478992 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:03.990490913 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:04.008049965 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:04.008101940 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:04.008116961 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:04.008229017 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:04.008264065 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 4, 2024 22:20:04.008312941 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 4, 2024 22:20:04.570384979 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.570810080 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.570826054 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.571212053 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.571278095 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.571938038 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.571990967 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.572875977 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.572941065 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.573153019 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.573162079 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.605710030 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.605879068 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.605900049 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.606250048 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.606307030 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.606946945 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.607002020 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.607114077 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.607167006 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.607326984 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.607333899 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.614178896 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.660314083 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.854171038 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.854235888 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.854288101 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.854656935 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.854674101 CEST	443	49759	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.854685068 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.854716063 CEST	49759	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.855498075 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.855525970 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.855581045 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.855897903 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.855910063 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.892966986 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.893273115 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.893326044 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.893537998 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.893537998 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.893548012 CEST	443	49761	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.893594027 CEST	49761	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.894151926 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.894164085 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:04.894223928 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.894501925 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:04.894512892 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.531024933 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.531385899 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.531404018 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.531748056 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.531819105 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.532438993 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.532490015 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.532638073 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.532699108 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.532815933 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.532824039 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.532840014 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.576502085 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.576670885 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.576845884 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.576859951 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.577197075 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.577260971 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.577863932 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.577913046 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.578015089 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.578088045 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.578109026 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.578139067 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.578146935 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.580848932 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.627774000 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.734129906 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.734253883 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.734308004 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.734765053 CEST	49763	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.734791040 CEST	443	49763	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.788521051 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.788642883 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.788696051 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.789244890 CEST	49766	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:05.789273977 CEST	443	49766	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:05.825962067 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:05.868501902 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100179911 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100219011 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100248098 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100261927 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:06.100274086 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100302935 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100310087 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:06.100316048 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100363016 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:06.100661039 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100696087 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.100738049 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:06.101591110 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:06.101603031 CEST	443	49742	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:06.101610899 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:06.101650000 CEST	49742	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:11.848891973 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:11.848936081 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:11.849092960 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:11.849400997 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:11.849415064 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.229490042 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.229777098 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:13.229789019 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.230144024 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.230504990 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:13.230581999 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.230834961 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:13.230906963 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:13.230912924 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.258526087 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:13.258552074 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:13.258624077 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:13.364394903 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:13.364422083 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:13.528228045 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.528383017 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:13.528433084 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:13.530939102 CEST	49772	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:13.530960083 CEST	443	49772	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:14.079432964 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:14.079528093 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:14.083117008 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:14.083131075 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:14.083338976 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:14.135381937 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:14.226357937 CEST	56319	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:14.233231068 CEST	53	56319	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:14.233336926 CEST	56319	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:14.239993095 CEST	53	56319	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:14.705776930 CEST	56319	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:14.711319923 CEST	53	56319	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:14.711385012 CEST	56319	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:15.227412939 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.272501945 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462306976 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462328911 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462337017 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462354898 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462366104 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462378979 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462385893 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.462393999 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.462419033 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.462444067 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.463192940 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.463251114 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.463260889 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.463366985 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.464754105 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.970909119 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.970935106 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:15.970946074 CEST	49773	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:15.970952034 CEST	443	49773	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:17.202742100 CEST	49723	80	192.168.2.4	93.184.221.240
Jul 4, 2024 22:20:17.220805883 CEST	80	49723	93.184.221.240	192.168.2.4
Jul 4, 2024 22:20:17.220865011 CEST	49723	80	192.168.2.4	93.184.221.240
Jul 4, 2024 22:20:33.954714060 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:33.954760075 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:33.954854965 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:33.955502987 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:33.955514908 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.336666107 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.336699009 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.336798906 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.337136984 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.337156057 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.630686998 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.631151915 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.631184101 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.631490946 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.631788969 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.631843090 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.631963015 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.631997108 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.632003069 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.896037102 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.896066904 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.896147013 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.896498919 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.896516085 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.932666063 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.932806969 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.932873964 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.933161974 CEST	56326	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.933182001 CEST	443	56326	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.983957052 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.984249115 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.984266996 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.984651089 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.984941006 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.985004902 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:34.985078096 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.985095978 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:34.985107899 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.182408094 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.182549953 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.182612896 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.183182955 CEST	56327	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.183197975 CEST	443	56327	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.593846083 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.594202995 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.594213009 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.594532967 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.594856024 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.594912052 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.595026970 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.595052004 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.595056057 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.793302059 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.793426991 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:35.793484926 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.794157028 CEST	56328	443	192.168.2.4	142.250.185.206
Jul 4, 2024 22:20:35.794168949 CEST	443	56328	142.250.185.206	192.168.2.4
Jul 4, 2024 22:20:52.337444067 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:52.337485075 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:52.337562084 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:52.337987900 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:52.338005066 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.181030989 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.181097984 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.184885979 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.184892893 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.185115099 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.193624973 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.236509085 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.447845936 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.447873116 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.447889090 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.447978973 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.448000908 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.448052883 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.448875904 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.448925972 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.448945045 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.448951006 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.448978901 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.449178934 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.449229002 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.452322006 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.452337980 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:53.452388048 CEST	56329	443	192.168.2.4	13.85.23.86
Jul 4, 2024 22:20:53.452394009 CEST	443	56329	13.85.23.86	192.168.2.4
Jul 4, 2024 22:20:59.441406965 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:59.441432953 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:20:59.441502094 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:59.441829920 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:20:59.441844940 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:00.110282898 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:00.110704899 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:00.110718012 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:00.111038923 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:00.111376047 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:00.111430883 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:00.158513069 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:04.390198946 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:04.390235901 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:04.390320063 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:04.390640020 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:04.390652895 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.070302963 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.070765018 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.070781946 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.072057962 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.072377920 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.072546005 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.072552919 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.072563887 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.072623968 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.113039017 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.355844021 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.356262922 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.356324911 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.356455088 CEST	56332	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.356477976 CEST	443	56332	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.596159935 CEST	49724	80	192.168.2.4	93.184.221.240
Jul 4, 2024 22:21:05.601546049 CEST	80	49724	93.184.221.240	192.168.2.4
Jul 4, 2024 22:21:05.601711035 CEST	49724	80	192.168.2.4	93.184.221.240
Jul 4, 2024 22:21:05.959490061 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.959522009 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:05.959594011 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.959948063 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:05.959961891 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.634548903 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.634947062 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:06.634967089 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.635462046 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.635847092 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:06.635924101 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.636061907 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:06.636095047 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:06.636101961 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.835460901 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.835607052 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:06.835658073 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:06.836431980 CEST	56334	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:06.836447001 CEST	443	56334	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:10.019328117 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:10.019397974 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:10.019452095 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:23.612723112 CEST	56331	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:23.612732887 CEST	443	56331	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:38.025376081 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.025425911 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.025510073 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.025968075 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.025981903 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.192751884 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.192780018 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.192878008 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.193198919 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.193212032 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.691574097 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.691955090 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.691977978 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.692333937 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.692646980 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.692706108 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.692811966 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.692854881 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.692861080 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.841521025 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.841914892 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.841929913 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.842437029 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.842735052 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.842813969 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.842890024 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.842927933 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.842933893 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.890358925 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.890803099 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:38.890876055 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.891026974 CEST	56336	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:38.891042948 CEST	443	56336	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:39.121712923 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:39.121862888 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:39.121915102 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:39.122421980 CEST	56337	443	192.168.2.4	142.250.186.46
Jul 4, 2024 22:21:39.122433901 CEST	443	56337	142.250.186.46	192.168.2.4
Jul 4, 2024 22:21:59.500854015 CEST	56338	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:59.500893116 CEST	443	56338	142.250.185.164	192.168.2.4
Jul 4, 2024 22:21:59.500948906 CEST	56338	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:59.501405001 CEST	56338	443	192.168.2.4	142.250.185.164
Jul 4, 2024 22:21:59.501419067 CEST	443	56338	142.250.185.164	192.168.2.4
Jul 4, 2024 22:22:00.148906946 CEST	443	56338	142.250.185.164	192.168.2.4
Jul 4, 2024 22:22:00.189745903 CEST	56338	443	192.168.2.4	142.250.185.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 22:19:54.845520020 CEST	53	53263	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:54.848104954 CEST	59837	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:19:54.848248005 CEST	57641	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:19:54.855293989 CEST	53	59837	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:54.855458021 CEST	53	57641	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:54.864583015 CEST	53	51200	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:56.006247044 CEST	53	51975	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:58.644516945 CEST	53	61974	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:59.254301071 CEST	53	64734	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:59.380610943 CEST	54344	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:19:59.380740881 CEST	49589	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:19:59.388406038 CEST	53	49589	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:59.389076948 CEST	53	54344	1.1.1.1	192.168.2.4
Jul 4, 2024 22:19:59.982676029 CEST	53	61410	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:02.857777119 CEST	62029	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:02.857913017 CEST	53467	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:02.865154982 CEST	53	62029	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:02.865802050 CEST	53	53467	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:03.887939930 CEST	52660	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:03.888117075 CEST	54297	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:20:03.895317078 CEST	53	54297	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:03.896656036 CEST	53	52660	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:07.916924953 CEST	53	52674	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:13.232631922 CEST	53	59446	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:14.223006964 CEST	53	58465	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:17.055160046 CEST	138	138	192.168.2.4	192.168.2.255
Jul 4, 2024 22:20:32.061463118 CEST	53	65385	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:54.732649088 CEST	53	53604	1.1.1.1	192.168.2.4
Jul 4, 2024 22:20:54.759886980 CEST	53	52930	1.1.1.1	192.168.2.4
Jul 4, 2024 22:21:04.382771015 CEST	59819	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:21:04.382919073 CEST	51857	53	192.168.2.4	1.1.1.1
Jul 4, 2024 22:21:04.389561892 CEST	53	59819	1.1.1.1	192.168.2.4
Jul 4, 2024 22:21:04.389813900 CEST	53	51857	1.1.1.1	192.168.2.4
Jul 4, 2024 22:21:04.874022007 CEST	53	56146	1.1.1.1	192.168.2.4
Jul 4, 2024 22:21:23.621480942 CEST	53	59598	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2024 22:19:54.848104954 CEST	192.168.2.4	1.1.1.1	0x4c4b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.848248005 CEST	192.168.2.4	1.1.1.1	0x3961	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Jul 4, 2024 22:19:59.380610943 CEST	192.168.2.4	1.1.1.1	0x2e15	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:59.380740881 CEST	192.168.2.4	1.1.1.1	0xc59a	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jul 4, 2024 22:20:02.857777119 CEST	192.168.2.4	1.1.1.1	0xd6e8	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:20:02.857913017 CEST	192.168.2.4	1.1.1.1	0x5506	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Jul 4, 2024 22:20:03.887939930 CEST	192.168.2.4	1.1.1.1	0xee43	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:20:03.888117075 CEST	192.168.2.4	1.1.1.1	0x993d	Standard query (0)	play.google.com	65	IN (0x0001)	false
Jul 4, 2024 22:21:04.382771015 CEST	192.168.2.4	1.1.1.1	0x236e	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:21:04.382919073 CEST	192.168.2.4	1.1.1.1	0xb901	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855293989 CEST	1.1.1.1	192.168.2.4	0x4c4b	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855458021 CEST	1.1.1.1	192.168.2.4	0x3961	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 22:19:54.855458021 CEST	1.1.1.1	192.168.2.4	0x3961	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Jul 4, 2024 22:19:59.388406038 CEST	1.1.1.1	192.168.2.4	0xc59a	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 4, 2024 22:19:59.389076948 CEST	1.1.1.1	192.168.2.4	0x2e15	No error (0)	www.google.com		142.250.185.164	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:20:02.865154982 CEST	1.1.1.1	192.168.2.4	0xd6e8	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 22:20:02.865154982 CEST	1.1.1.1	192.168.2.4	0xd6e8	No error (0)	www3.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:20:02.865802050 CEST	1.1.1.1	192.168.2.4	0x5506	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 22:20:03.896656036 CEST	1.1.1.1	192.168.2.4	0xee43	No error (0)	play.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Jul 4, 2024 22:21:04.389561892 CEST	1.1.1.1	192.168.2.4	0x236e	No error (0)	play.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.217.16.142	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:19:55 UTC	810	OUT	GET /account HTTP/1.1 Host: www.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-04 20:19:55 UTC	2470	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 04 Jul 2024 20:19:55 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Thu, 04-Jul-2024 20:49:55 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=Wy5fzycxdas; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=EemFloXdkQQ; Domain=.youtube.com; Expires=Tue, 31-Dec-2024 20:19:55 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgJw%3D%3D; Domain=.youtube.com; Expires=Tue, 31-Dec-2024 20:19:55 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:00 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-04 20:20:01 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=38642 Date: Thu, 04 Jul 2024 20:20:00 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49748	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:01 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-04 20:20:02 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=38662 Date: Thu, 04 Jul 2024 20:20:01 GMT Content-Length: 55 Connection: close X-CID: 2
2024-07-04 20:20:02 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49756	142.250.184.238	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:03 UTC	1224	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-650802130&timestamp=1720124401898 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-04 20:20:03 UTC	1953	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-GSoIXSo7jp-k5KvTcaFLRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 04 Jul 2024 20:20:03 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzj0tDikmII0JBikPj6kkkNiJ3SZ7AGAHHSv_OsBUC8JOIi64HEi6xCPByf2-dsYRO4caD5OZOSXlJ-YXxmSmpeSWZJZUp-bmJmXnJ-fnZmanFxalFZalG8kYGRiYGZkbGegUV8gQEA_I4m0g" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 37 36 36 36 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 47 53 6f 49 58 53 6f 37 6a 70 2d 6b 35 4b 76 54 63 61 46 4c 52 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7666<html><head><script nonce="GSoIXSo7jp-k5KvTcaFLRg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 64 29 7b 72 65 74 75 72 6e 20 64 20 69 6e 20 62 7d 29 5d 7c 7c 22 22 7d 7d 2c 71 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 0a 66 61 28 29 3b 69 66 28 61 3d 3d 3d 22 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 22 29 7b 69 66 28 6a 61 28 29 29 69 66 28 28 61 3d 2f 72 76 3a 20 2a 28 5b 5c 64 5c 2e 5d 2a 29 2f 2e 65 78 65 63 28 62 29 29 26 26 61 5b 31 5d 29 62 3d 61 5b 31 5d 3b 65 6c 73 65 7b 61 3d 22 22 3b 76 61 72 20 63 3d 2f 4d 53 49 45 20 2b 28 5b 5c 64 5c 2e 5d 2b 29 2f 2e 65 78 65 63 28 62 29 3b 69 66 28 63 26 26 63 5b 31 5d 29 69 66 28 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 Data Ascii: function(d){return d in b})]\|\|""}},qa=function(a){var b=fa();if(a==="Internet Explorer"){if(ja())if((a=/rv: ([\d\.])/.exec(b))&&a[1])b=a[1];else{a="";var c=/MSIE +([\d\.]+)/.exec(b);if(c&&c[1])if(b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])swit
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 76 6f 69 64 20 30 3b 69 66 28 61 3d 3d 6e 75 6c 6c 29 7b 76 61 72 20 64 3d 39 36 3b 63 3f 28 61 3d 5b 63 5d 2c 64 7c 3d 35 31 32 29 3a 61 3d 5b 5d 3b 62 26 26 28 64 3d 64 26 2d 31 36 37 36 30 38 33 33 7c 28 62 26 31 30 32 33 29 3c 3c 31 34 29 7d 65 6c 73 65 7b 69 66 28 21 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 6e 22 29 3b 64 3d 7a 28 61 29 3b 69 66 28 64 26 32 30 34 38 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 6f 22 29 3b 69 66 28 64 26 0a 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 70 22 29 3b 61 3a 7b 63 3d 61 3b 76 61 72 20 65 3d 63 2e 6c 65 6e 67 74 68 3b 69 66 28 65 29 7b 76 61 72 Data Ascii: void 0;if(a==null){var d=96;c?(a=[c],d\|=512):a=[];b&&(d=d&-16760833\|(b&1023)<<14)}else{if(!Array.isArray(a))throw Error("n");d=z(a);if(d&2048)throw Error("o");if(d&64)return a;d\|=64;if(c&&(d\|=512,c!==a[0]))throw Error("p");a:{c=a;var e=c.length;if(e){var
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 73 74 72 75 63 74 6f 72 2e 63 61 3b 76 61 72 20 65 3d 4b 61 28 63 3f 61 2e 43 3a 62 29 3b 69 66 28 61 3d 62 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 66 3d 62 5b 61 2d 31 5d 2c 68 3d 77 61 28 66 29 3b 68 3f 61 2d 2d 3a 66 3d 76 6f 69 64 20 30 3b 65 3d 2b 21 21 28 65 26 35 31 32 29 2d 31 3b 76 61 72 20 67 3d 62 3b 69 66 28 68 29 7b 62 3a 7b 76 61 72 20 6b 3d 66 3b 76 61 72 20 6c 3d 7b 7d 3b 68 3d 21 31 3b 69 66 28 6b 29 66 6f 72 28 76 61 72 20 6d 20 69 6e 20 6b 29 69 66 28 69 73 4e 61 4e 28 2b 6d 29 29 6c 5b 6d 5d 3d 6b 5b 6d 5d 3b 65 6c 73 65 7b 76 61 72 20 71 3d 6b 5b 6d 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 71 29 26 26 28 41 28 71 2c 64 2c 0a 2b 6d 29 7c 7c 76 61 28 71 29 26 26 71 2e 73 69 7a 65 3d 3d 3d 30 29 26 26 28 71 3d 6e 75 6c 6c 29 3b 71 Data Ascii: structor.ca;var e=Ka(c?a.C:b);if(a=b.length){var f=b[a-1],h=wa(f);h?a--:f=void 0;e=+!!(e&512)-1;var g=b;if(h){b:{var k=f;var l={};h=!1;if(k)for(var m in k)if(isNaN(+m))l[m]=k[m];else{var q=k[m];Array.isArray(q)&&(A(q,d,+m)\|\|va(q)&&q.size===0)&&(q=null);q
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 7b 76 61 72 20 64 3d 50 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 6f 66 20 64 2e 70 72 6f 74 6f 74 79 70 65 5b 61 5d 21 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 45 28 64 2e 70 72 6f 74 6f 74 79 70 65 2c 61 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 77 72 69 74 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 51 61 28 4e 61 28 74 68 69 73 29 29 7d 7d 29 7d 72 65 74 75 72 6e 20 61 7d 29 3b 0a 76 61 72 20 51 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 7b 6e 65 78 74 3a 61 7d 3b 61 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 72 65 74 75 72 6e 20 61 7d 2c 47 Data Ascii: {var d=Pa[b[c]];typeof d==="function"&&typeof d.prototype[a]!="function"&&E(d.prototype,a,{configurable:!0,writable:!0,value:function(){return Qa(Na(this))}})}return a});var Qa=function(a){a={next:a};a[Symbol.iterator]=function(){return this};return a},G
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 48 28 6b 2c 66 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 6a 60 22 2b 6b 29 3b 6b 5b 66 5d 5b 74 68 69 73 2e 67 5d 3d 6c 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 72 65 74 75 72 6e 20 63 28 6b 29 26 26 48 28 6b 2c 66 29 3f 6b 5b 66 5d 5b 74 68 69 73 2e 67 5d 3a 76 6f 69 64 20 30 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 72 65 74 75 72 6e 20 63 28 6b 29 26 26 48 28 6b 2c 66 29 26 26 48 28 6b 5b 66 5d 2c 74 68 69 73 2e 67 29 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 64 65 Data Ascii: et=function(k,l){if(!c(k))throw Error("i");d(k);if(!H(k,f))throw Error("j`"+k);k[f][this.g]=l;return this};g.prototype.get=function(k){return c(k)&&H(k,f)?k[f][this.g]:void 0};g.prototype.has=function(k){return c(k)&&H(k,f)&&H(k[f],this.g)};g.prototype.de
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 3f 6c 3d 62 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 68 2c 62 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6d 3d 67 5b 30 5d 5b 6c 5d 3b 69 66 28 6d 26 26 48 28 67 5b 30 5d 2c 6c 29 29 66 6f 72 28 67 3d 30 3b 67 3c 6d 2e 6c 65 6e 67 74 68 3b 67 2b 2b 29 7b 76 61 72 20 71 3d 6d 5b 67 5d 3b 69 66 28 6b 21 3d 3d 6b 26 26 71 2e 6b 65 79 21 3d 3d 71 2e 6b 65 79 7c 7c 6b 3d 3d 3d 71 2e 6b 65 79 29 72 65 74 75 72 6e 7b 69 64 3a 6c 2c 6c 69 73 74 3a 6d 2c 69 6e 64 65 78 3a 67 2c 6c 3a 71 7d 7d 72 65 74 75 Data Ascii: s;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)?l=b.get(k):(l=""+ ++h,b.set(k,l)):l="p_"+k;var m=g[0][l];if(m&&H(g[0],l))for(g=0;g<m.length;g++){var q=m[g];if(k!==k&&q.key!==q.key\|\|k===q.key)return{id:l,list:m,index:g,l:q}}retu
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 78 74 28 29 29 2e 64 6f 6e 65 3b 29 65 2e 70 75 73 68 28 63 2e 63 61 6c 6c 28 64 2c 66 2e 76 61 6c 75 65 2c 68 2b 2b 29 29 7d 65 6c 73 65 20 66 6f 72 28 66 3d 62 2e 6c 65 6e 67 74 68 2c 68 3d 30 3b 68 3c 66 3b 68 2b 2b 29 65 2e 70 75 73 68 28 63 2e 63 61 6c 6c 28 64 2c 62 5b 68 5d 2c 68 29 29 3b 72 65 74 75 72 6e 20 65 7d 7d 29 3b 76 61 72 20 5a 61 3d 5a 61 7c 7c 7b 7d 2c 72 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 61 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 24 61 28 22 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 2e 6f 78 4e 33 6e 62 22 29 3b 61 3d 63 26 26 63 5b 61 5d 3b 72 65 74 75 72 6e 20 61 21 3d 6e 75 6c 6c 3f 61 3a 62 7d 2c 49 3d 72 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 Data Ascii: xt()).done;)e.push(c.call(d,f.value,h++))}else for(f=b.length,h=0;h<f;h++)e.push(c.call(d,b[h],h));return e}});var Za=Za\|\|{},r=this\|\|self,ab=function(a,b){var c=$a("WIZ_global_data.oxN3nb");a=c&&c[a];return a!=null?a:b},I=r._F_toggles\|\|[],$a=function(a){a
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 22 3f 61 2e 73 70 6c 69 74 28 22 22 29 3a 61 2c 66 3d 30 3b 66 3c 64 3b 66 2b 2b 29 66 20 69 6e 20 65 26 26 62 2e 63 61 6c 6c 28 63 2c 65 5b 66 5d 2c 66 2c 61 29 7d 3b 76 61 72 20 63 61 3d 22 63 6f 6e 73 74 72 75 63 74 6f 72 20 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 20 69 73 50 72 6f 74 6f 74 79 70 65 4f 66 20 70 72 6f 70 65 72 74 79 49 73 45 6e 75 6d 65 72 61 62 6c 65 20 74 6f 4c 6f 63 61 6c 65 53 74 72 69 6e 67 20 74 6f 53 74 72 69 6e 67 20 76 61 6c 75 65 4f 66 22 2e 73 70 6c 69 74 28 22 20 22 29 3b 76 61 72 20 6a 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 72 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 Data Ascii: "?a.split(""):a,f=0;f<d;f++)f in e&&b.call(c,e[f],f,a)};var ca="constructor hasOwnProperty isPrototypeOf propertyIsEnumerable toLocaleString toString valueOf".split(" ");var jb=function(a,b,c){c=c\|\|r;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&
2024-07-04 20:20:03 UTC	1953	IN	Data Raw: 6e 67 74 68 3b 65 2b 2b 29 7b 65 3e 30 26 26 63 2e 70 75 73 68 28 22 2c 20 22 29 3b 76 61 72 20 66 3d 64 5b 65 5d 3b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 66 29 7b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 66 3d 66 3f 22 6f 62 6a 65 63 74 22 3a 22 6e 75 6c 6c 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 6c 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 Data Ascii: ngth;e++){e>0&&c.push(", ");var f=d[e];switch(typeof f){case "object":f=f?"object":"null";break;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=lb(f))?f:"[fn]";break;default:f=typeof f}f.le

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49759	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:04 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-04 20:20:04 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:04 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:04 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-04 20:20:04 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:04 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49763	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:05 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 522 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-04 20:20:05 UTC	522	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 30 32 39 35 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124402951",null,null,null
2024-07-04 20:20:05 UTC	925	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=515=F1gTAwX04rdX2CXAN2O44gYXCsRjRtGHyjCsZeTxPMrdI68NHslcoQ8kwLRBdyTAt4bkXlYuVlg9epOKyAEtSc5e6gVElEXiYzmO3MxFwl4cgrQgetdaSrNZ5VMdx8Ba_2FW-AyTqfOQgDTCrTtgmN_kQ3tHflgHowkcfjbclO4; expires=Fri, 03-Jan-2025 20:20:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:05 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Thu, 04 Jul 2024 20:20:05 GMT Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:05 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:20:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49766	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:05 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 522 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-04 20:20:05 UTC	522	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 30 33 30 32 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124403026",null,null,null
2024-07-04 20:20:05 UTC	925	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=515=mNFovHPZa0gBr1dKYE1qKyi6WGpTXS-xl2fSRuNre9Bx_eHFeopW0PRQ79jU9Pvolr1lCO7eeX_y22blGxlpfiJXSDJHrHo8xc8058QXykag_5LoGkXi35BZEZUX6F0a8Ha_efzRNRcJy6YNWbbA2AJOWnVKONFvXhaWCDBY0l0; expires=Fri, 03-Jan-2025 20:20:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:05 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Thu, 04 Jul 2024 20:20:05 GMT Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:05 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:20:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49742	142.250.185.164	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:05 UTC	1214	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mNFovHPZa0gBr1dKYE1qKyi6WGpTXS-xl2fSRuNre9Bx_eHFeopW0PRQ79jU9Pvolr1lCO7eeX_y22blGxlpfiJXSDJHrHo8xc8058QXykag_5LoGkXi35BZEZUX6F0a8Ha_efzRNRcJy6YNWbbA2AJOWnVKONFvXhaWCDBY0l0
2024-07-04 20:20:06 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 04 Jul 2024 20:08:35 GMT Expires: Fri, 12 Jul 2024 20:08:35 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 691 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-04 20:20:06 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-07-04 20:20:06 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-07-04 20:20:06 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-07-04 20:20:06 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-07-04 20:20:06 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49772	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:13 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 931 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mNFovHPZa0gBr1dKYE1qKyi6WGpTXS-xl2fSRuNre9Bx_eHFeopW0PRQ79jU9Pvolr1lCO7eeX_y22blGxlpfiJXSDJHrHo8xc8058QXykag_5LoGkXi35BZEZUX6F0a8Ha_efzRNRcJy6YNWbbA2AJOWnVKONFvXhaWCDBY0l0
2024-07-04 20:20:13 UTC	931	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 30 30 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1720124400000",null,null,null,
2024-07-04 20:20:13 UTC	925	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk; expires=Fri, 03-Jan-2025 20:20:13 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Thu, 04 Jul 2024 20:20:13 GMT Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:20:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49773	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:15 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=nxeS+otprgk5Bcy&MD=FeLCHCH7 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-04 20:20:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 04b31ea7-6a74-458d-b3cd-bd1e9b530977 MS-RequestId: 7d9b21bb-5115-4236-b43c-7d7d4d1affa5 MS-CV: mzZM7YgiYESxeugY.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 04 Jul 2024 20:20:14 GMT Connection: close Content-Length: 24490
2024-07-04 20:20:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-04 20:20:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	56326	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:34 UTC	1322	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1004 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:20:34 UTC	1004	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 33 33 30 32 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124433028",null,null,null
2024-07-04 20:20:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:20:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	56327	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:34 UTC	1322	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1030 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:20:34 UTC	1030	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 33 33 34 31 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124433410",null,null,null
2024-07-04 20:20:35 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:35 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:35 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:20:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	56328	142.250.185.206	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:35 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 842 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:20:35 UTC	842	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 36 32 33 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240623.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0
2024-07-04 20:20:35 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:20:35 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:20:35 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:20:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	56329	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:20:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=nxeS+otprgk5Bcy&MD=FeLCHCH7 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-04 20:20:53 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 4bbc547a-a972-46f0-90d9-b7a7edeea46d MS-RequestId: 84048395-bd83-4591-940e-9238071273bc MS-CV: QKAy8LBEb06o7UIN.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 04 Jul 2024 20:20:52 GMT Connection: close Content-Length: 30005
2024-07-04 20:20:53 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-04 20:20:53 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	56332	142.250.186.46	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:21:05 UTC	1322	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1054 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:21:05 UTC	1054	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 36 33 34 35 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124463455",null,null,null
2024-07-04 20:21:05 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:21:05 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:21:05 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:21:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	56334	142.250.186.46	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:21:06 UTC	1321	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 976 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:21:06 UTC	976	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 36 35 30 33 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124465032",null,null,null
2024-07-04 20:21:06 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:21:06 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:21:06 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:21:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	56336	142.250.186.46	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:21:38 UTC	1322	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1081 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:21:38 UTC	1081	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 39 37 30 39 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124497095",null,null,null
2024-07-04 20:21:38 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:21:38 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:21:38 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:21:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	56337	142.250.186.46	443	7316	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 20:21:38 UTC	1322	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1175 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=515=mutiQZpkpqGiZZt3vL-_CzuZsznNvMpp6EEgFltyHIGKKDs5y6763L5AX-n3EhNbNR2qFYSslQVRW55vdqQbQc2Pe2fqmz2j7v6_9MEzUgDKXv333orC7L6o5sS1rQnYfuSwTi95X0yOq5U7TKeK59qMqry2QCUGofpGi7266hk
2024-07-04 20:21:38 UTC	1175	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 32 32 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 30 31 32 34 34 39 37 32 36 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"22",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1720124497266",null,null,null
2024-07-04 20:21:39 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 04 Jul 2024 20:21:39 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-07-04 20:21:39 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-07-04 20:21:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:19:52
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfb0000
File size:	1'166'336 bytes
MD5 hash:	86738DD73219B83320BA19AF11C97E11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:19:52
Start date:	04/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	16:19:53
Start date:	04/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	16:20:03
Start date:	04/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	16:20:03
Start date:	04/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1972,i,16422733890045715603,8918321103436250044,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1680
Total number of Limit Nodes:	64

Executed Functions

Function 00FB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FB430D

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

GetCurrentProcess.KERNEL32(?,0104CB64,00000000,?,?), ref: 00FB4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FB4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FB4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FB4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00FB4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FB447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FB44A0

Strings

GetNativeSystemInfo, xrefs: 00FB4460
kernel32.dll, xrefs: 00FB444F
|O, xrefs: 00FF36F8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0a1b127b1bdc3d2bd63358ad9ce2a18c36060f5f6256971568631e1d1193203f
Instruction ID: 6859cad03b5dea153378e9071c39d8632e765cdad9135644c9eceb64304931fd
Opcode Fuzzy Hash: 0a1b127b1bdc3d2bd63358ad9ce2a18c36060f5f6256971568631e1d1193203f
Instruction Fuzzy Hash: A5A1C576D0E2D4DFC731D76AB1806ED7FA46F26710B08C899D4C1A3A0AD27E4506EFA1

Function 00FB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FB50AA,?,?,00000000,00000000), ref: 00FB42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FB50AA,?,?,00000000,00000000), ref: 00FB42C9
LoadResource.KERNEL32(?,00000000,?,?,00FB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F20), ref: 00FF35BE
SizeofResource.KERNEL32(?,00000000,?,?,00FB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F20), ref: 00FF35D3
LockResource.KERNEL32(00FB50AA,?,?,00FB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F20,?), ref: 00FF35E6

Strings

SCRIPT, xrefs: 00FB42BF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 14b5ff9088eb1140d1266704a69fa86ae0d0d25ab84920a73ce2e3e44dededc0
Instruction ID: 3b7d98ccdad3cced64a54caf232b0a86c90f338852ef37b41d7d6c788703b9bf
Opcode Fuzzy Hash: 14b5ff9088eb1140d1266704a69fa86ae0d0d25ab84920a73ce2e3e44dededc0
Instruction Fuzzy Hash: 0F11A0B4301700BFE7218FA6DE89F677BB9EBC5B51F14416DB84686150DB71EC00AA30

Function 00FF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FB2B6B

Part of subcall function 00FB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01081418,?,00FB2E7F,?,?,?,00000000), ref: 00FB3A78

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01072224), ref: 00FF2C10
ShellExecuteW.SHELL32(00000000,?,?,01072224), ref: 00FF2C17

Strings

runas, xrefs: 00FF2C0B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: eb1db0585a4ab73e50ac438a7d2c555899d194d0c8d8b310ba7f7e14927eafc8
Instruction ID: 55b7b9e9257df595bc8c7fc487501799741bcf576927728ebf4291019599ff51
Opcode Fuzzy Hash: eb1db0585a4ab73e50ac438a7d2c555899d194d0c8d8b310ba7f7e14927eafc8
Instruction Fuzzy Hash: EB11DF316083056AC714FF66DC919EE7BA4AFD5310F48541DF2C2060A2CF398A4AAB12

Function 0101AB9C Relevance: 6.1, APIs: 4, Instructions: 103
keyboardwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0101ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0101AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0101AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0101ACC6

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2f30d33ffb5f2dcd955031d2cf66efbbd1f3fdb4063a9e962ac19c98474737ea
Instruction ID: 1287e0e7cdc60f8d93d43670a2d9a3fb39d2edfab8ab083887bcf755f3a50fc7
Opcode Fuzzy Hash: 2f30d33ffb5f2dcd955031d2cf66efbbd1f3fdb4063a9e962ac19c98474737ea
Instruction Fuzzy Hash: 1D311470B0129CEFFF358A6988147FE7AE5AB89320F04425AE4C5932D9D37D85858791

Function 00FD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FE28E9,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002,00000000,?,00FE28E9), ref: 00FD4D09
TerminateProcess.KERNEL32(00000000,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002,00000000,?,00FE28E9), ref: 00FD4D10
ExitProcess.KERNEL32 ref: 00FD4D22

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f691986d55b6cec82ea160ccf03058a3f0f835667d2d1bd8010292e9d01e3f6d
Instruction ID: 3d989a3454ff7be35789f0a0da5303f7ee374aa34a756082bf43ad076c5dd96c
Opcode Fuzzy Hash: f691986d55b6cec82ea160ccf03058a3f0f835667d2d1bd8010292e9d01e3f6d
Instruction Fuzzy Hash: 99E0BF75401148ABDF216F54DF49A583B6BEB41752B184015FC458B226CB3AEE41DF40

Function 0101B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0101B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0101B270

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: dae189ebb16458f75a4f2225401deae46132971060294723a1e3d19c5de79267
Instruction ID: 55a05f3a71d5ecbbf4bb9aa5805449efb8ca92322e46e6b44d37b649ea165e0e
Opcode Fuzzy Hash: dae189ebb16458f75a4f2225401deae46132971060294723a1e3d19c5de79267
Instruction Fuzzy Hash: 56F06D7480424DABEB158FA0C805BEE7FB0FF04305F008009F991A5195C37D82058F94

Function 00FBD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FBD807
timeGetTime.WINMM ref: 00FBDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBDB28
TranslateMessage.USER32(?), ref: 00FBDB7B
DispatchMessageW.USER32(?), ref: 00FBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBDB9F
Sleep.KERNEL32(0000000A), ref: 00FBDBB1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 77a895741f0cce9a046d9a8076159f09fdfaefe4b5aae2d13626948c8beb1d46
Instruction ID: fe8b1fb6ecd66bee2dbe6925207ae2133e8fd652d9cb2bdfd06f7f5acbdbc70b
Opcode Fuzzy Hash: 77a895741f0cce9a046d9a8076159f09fdfaefe4b5aae2d13626948c8beb1d46
Instruction Fuzzy Hash: 1C420370608242EFE72ACF25C888BAABBE0BF85314F14855DE4D587291E775E844DF92

Function 00FB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB2D07
RegisterClassExW.USER32(00000030), ref: 00FB2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FB2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB2D6F
LoadIconW.USER32(000000A9), ref: 00FB2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB2D94

Strings

TaskbarCreated, xrefs: 00FB2D37
0, xrefs: 00FB2CE9
+, xrefs: 00FB2CF0
AutoIt v3 GUI, xrefs: 00FB2D23

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 55dca9242f0cb2da827a2a9e9a61967a1f52a0db53d9cb9ab087b2fdda2155df
Instruction ID: f5100ae5c95c06c5dc6b0909c7bb5f16191c003559461e4d15ef46d38a611763
Opcode Fuzzy Hash: 55dca9242f0cb2da827a2a9e9a61967a1f52a0db53d9cb9ab087b2fdda2155df
Instruction Fuzzy Hash: 52211DB5D06308AFEB20DF94EA89BDD7BB4FB08700F00411AF5D1A6284D7BA0541CF50

Function 00FF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF039A: CreateFileW.KERNEL32(00000000,00000000,?,00FF0704,?,?,00000000,?,00FF0704,00000000,0000000C), ref: 00FF03B7

GetLastError.KERNEL32 ref: 00FF076F
__dosmaperr.LIBCMT ref: 00FF0776
GetFileType.KERNEL32(00000000), ref: 00FF0782
GetLastError.KERNEL32 ref: 00FF078C
__dosmaperr.LIBCMT ref: 00FF0795
CloseHandle.KERNEL32(00000000), ref: 00FF07B5
CloseHandle.KERNEL32(?), ref: 00FF08FF
GetLastError.KERNEL32 ref: 00FF0931
__dosmaperr.LIBCMT ref: 00FF0938

Strings

H, xrefs: 00FF08BD

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8edfa7b03dcf0479a3263f6c3cef784981b6abd05ae5f5f24ea6f73e8ae00ed9
Instruction ID: d326fb06b4027cd46e0d7bd29020ef97df315792cce728fd10d3db573c9daee8
Opcode Fuzzy Hash: 8edfa7b03dcf0479a3263f6c3cef784981b6abd05ae5f5f24ea6f73e8ae00ed9
Instruction Fuzzy Hash: 45A16A32A041088FDF28AF68DC51BBD7BA1AF06320F140159F951DF3A2DB358D16EB91

Function 00FB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01081418,?,00FB2E7F,?,?,?,00000000), ref: 00FB3A78

Part of subcall function 00FB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FB3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FB356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FF318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FF31CE
RegCloseKey.ADVAPI32(?), ref: 00FF3210
_wcslen.LIBCMT ref: 00FF3277
_wcslen.LIBCMT ref: 00FF3286

Strings

\, xrefs: 00FF328C
Include, xrefs: 00FF3184, 00FF31C5
Software\AutoIt v3\AutoIt, xrefs: 00FB3560
\Include\, xrefs: 00FB3527

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5f071903fcb08cca003a365d0ae687d9f03b1698cd5e2dbf6559cc38ad0757c0
Instruction ID: bda101b1985c7d382c5712cd1ad91126928c683063c04f8ed71a43cf5e420d80
Opcode Fuzzy Hash: 5f071903fcb08cca003a365d0ae687d9f03b1698cd5e2dbf6559cc38ad0757c0
Instruction Fuzzy Hash: 3D71BDB14083019EC324EF66EC919AFBBE8FF85750F40842EF5C593164EB799A48DB52

Function 00FB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00FB2B9D
LoadIconW.USER32(00000063), ref: 00FB2BB3
LoadIconW.USER32(000000A4), ref: 00FB2BC5
LoadIconW.USER32(000000A2), ref: 00FB2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FB2BEF
RegisterClassExW.USER32(?), ref: 00FB2C40

Part of subcall function 00FB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FB2D07
Part of subcall function 00FB2CD4: RegisterClassExW.USER32(00000030), ref: 00FB2D31
Part of subcall function 00FB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB2D42
Part of subcall function 00FB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FB2D5F
Part of subcall function 00FB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB2D6F
Part of subcall function 00FB2CD4: LoadIconW.USER32(000000A9), ref: 00FB2D85
Part of subcall function 00FB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB2D94

Strings

#, xrefs: 00FB2C16
0, xrefs: 00FB2C0F
AutoIt v3, xrefs: 00FB2C2F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a56d8045ba2bd6ba624394af854d2975f1c1826c73637f06c311f7962e5ebd03
Instruction ID: a6f8cb13488f407fc2861dd46cd2e62d87a04ef6d822bc1da432b545bc7443c0
Opcode Fuzzy Hash: a56d8045ba2bd6ba624394af854d2975f1c1826c73637f06c311f7962e5ebd03
Instruction Fuzzy Hash: 82214CB4E05314AFDB20DFA6E985ADD7FB5FF08B50F00801AE580A6694D7BA0541DF90

Function 00FB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FB316A,?,?), ref: 00FB31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00FB316A,?,?), ref: 00FB3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FB316A,?,?), ref: 00FB3232
CreatePopupMenu.USER32 ref: 00FB3246
PostQuitMessage.USER32(00000000), ref: 00FB3267

Strings

TaskbarCreated, xrefs: 00FB322D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6165da6ee5f9d2e2b8a1686936b2eb2a579af47de54ec055074262610bc421a8
Instruction ID: b7d8a6a2f82ef0343541df37678944850c15dd26cccbc8a88805b128e9aa9a48
Opcode Fuzzy Hash: 6165da6ee5f9d2e2b8a1686936b2eb2a579af47de54ec055074262610bc421a8
Instruction Fuzzy Hash: 84412B36AC8204ABDB246B7DDE4ABFD3A1DFF05350F044119F5C2C5295CB7A8A41BB61

Function 00FB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FB1459
OleUninitialize.OLE32(?,00000000), ref: 00FB14F8
UnregisterHotKey.USER32(?), ref: 00FB16DD
DestroyWindow.USER32(?), ref: 00FF24B9
FreeLibrary.KERNEL32(?), ref: 00FF251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FF254B

Strings

close all, xrefs: 00FB1454

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 51312ddcfb103e8ae00333186db4263a33e176f7d5ff6fce8b9a780e51b9871c
Instruction ID: 7c9b9b19b913af0a14a7eabb4c3c2479231597fb8f4e303f563b4d915a34ea99
Opcode Fuzzy Hash: 51312ddcfb103e8ae00333186db4263a33e176f7d5ff6fce8b9a780e51b9871c
Instruction Fuzzy Hash: 73D1C231702212CFDB29EF15C9A9B69F7A1BF05710F5841ADE54AAB261CB34EC12EF50

Function 00FB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FB1CAD,?), ref: 00FB2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FB1CAD,?), ref: 00FB2CCF

Strings

edit, xrefs: 00FB2CAC
AutoIt v3, xrefs: 00FB2C89, 00FB2C8E, 00FB2C8F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9b652c30a58f513b57dee2ab85593c0ad60f7877e2449ec92202fc697cce22a5
Instruction ID: 9eef1ebefd3428ece72a3636da0b4b6219304289dce549b90863c9c8fc02daf1
Opcode Fuzzy Hash: 9b652c30a58f513b57dee2ab85593c0ad60f7877e2449ec92202fc697cce22a5
Instruction Fuzzy Hash: A8F03AB95443907FEB300713AC4CEBB2EBDEBC6F50B00806EF980A2154C27A0842DBB0

Function 0103AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0103AEA3

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

GetProcessId.KERNEL32(00000000), ref: 0103AF38
CloseHandle.KERNEL32(00000000), ref: 0103AF67

Strings

<, xrefs: 0103AE6B
@, xrefs: 0103AE72

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f204d1da55c972a358090452fcba830e29e38862278da392ba213f86215809a2
Instruction ID: ced488e218bc70876247ea3c5bf38dc06c70f72b7882175a85531e67d09f8734
Opcode Fuzzy Hash: f204d1da55c972a358090452fcba830e29e38862278da392ba213f86215809a2
Instruction Fuzzy Hash: D5717A74A00215DFCB14EF55C885A9EBBF4BF48310F048499E896AB392C779ED45CFA0

Function 00FB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FB3B0F,SwapMouseButtons,00000004,?), ref: 00FB3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FB3B0F,SwapMouseButtons,00000004,?), ref: 00FB3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00FB3B0F,SwapMouseButtons,00000004,?), ref: 00FB3B83

Strings

Control Panel\Mouse, xrefs: 00FB3B3E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1cfe87a2388660b91f32fb4392ed20af733bc1c2f6dc9684dace6ae2700a6c7f
Instruction ID: 04be811b27ecdde99211f09479afb64f1152d386757e5b8690442a7fbfafa312
Opcode Fuzzy Hash: 1cfe87a2388660b91f32fb4392ed20af733bc1c2f6dc9684dace6ae2700a6c7f
Instruction Fuzzy Hash: 26115AB5551208FFDB208FA6DD84AEEB7B8EF41750B108559B801D7118D6319E40AB60

Function 0101B0A8 Relevance: 6.0, APIs: 4, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B126

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 34f0325f155ecdd9f714a18a0dd03134aea41f1f0ff92f55abd6cd33e2b06163
Instruction ID: 4743d5be49f21fe29f69951b33827881667e1a1ca3d16e45835f577dcc05f0cf
Opcode Fuzzy Hash: 34f0325f155ecdd9f714a18a0dd03134aea41f1f0ff92f55abd6cd33e2b06163
Instruction Fuzzy Hash: E611AD70C0251CE7DF10AFE4EA88AEEBF78FF0A310F114086E9C1B2189CB3996508B51

Function 00FB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FF33A2

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB3A04

Strings

Line: , xrefs: 00FF33EB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 42c9c3b45566642cba5f4578f952788b6188207fba15a32f67273c503afca492
Instruction ID: 6654dbb603b4d90e8a5defa777c19e7bba614eec129ca972a1b7ebcc2953e8c8
Opcode Fuzzy Hash: 42c9c3b45566642cba5f4578f952788b6188207fba15a32f67273c503afca492
Instruction Fuzzy Hash: D631C071848304AFD725EB21DC45BEFB7E8AF40720F14452AF5D982185EF789A49EBC2

Function 00FCFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FD0668

Part of subcall function 00FD32A4: RaiseException.KERNEL32(?,?,?,00FD068A,?,01081444,?,?,?,?,?,?,00FD068A,00FB1129,01078738,00FB1129), ref: 00FD3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FD0685

Strings

Unknown exception, xrefs: 00FD0692

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f65bcbc4c885394cf2eb6396a8f97332224b8c233552ce993fef78d61fb09512
Instruction ID: 36285d33cfe3879bed652e2163e5be638c66d7f92c0e407da3e3769c28c03b45
Opcode Fuzzy Hash: f65bcbc4c885394cf2eb6396a8f97332224b8c233552ce993fef78d61fb09512
Instruction Fuzzy Hash: 91F02834C0020E73CB00B664EC4AF5DB76F6E00320F584037B91586691EF34DA29E580

Function 00FB10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB1BF4
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB1BFC
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB1C07
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB1C12
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB1C1A
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB1C22

Part of subcall function 00FB1B4A: RegisterWindowMessageW.USER32(00000004,?,00FB12C4), ref: 00FB1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FB136A
OleInitialize.OLE32 ref: 00FB1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00FF24AB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 61371e1f855ce97f2168a0b5abe0067e0cf4cb00cf00a307fee20f6c7e403c2b
Instruction ID: 4acd64185be5f98dd889e5059016266c154f4862c332e709b64d0b742039d089
Opcode Fuzzy Hash: 61371e1f855ce97f2168a0b5abe0067e0cf4cb00cf00a307fee20f6c7e403c2b
Instruction Fuzzy Hash: 9B71BCB491D200DFC3A4EF7AE9566993AE0BF48344758822AD0CAC7349EB3A4403DF64

Function 0101C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0101C259
KillTimer.USER32(?,00000001,?,?), ref: 0101C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0101C270

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: f1d770ccc6064015e97733a197edbfc587b4fa72b5e9d56255935bcc21686282
Instruction ID: b4f3b97f2c46c19c8c20f8f296d53188120c2b5fe364d4734686a7caadca522a
Opcode Fuzzy Hash: f1d770ccc6064015e97733a197edbfc587b4fa72b5e9d56255935bcc21686282
Instruction Fuzzy Hash: FC31B1B0944344AFFB729B688985BEABBECAF06304F0404DAD6DE93245C7789685CB51

Function 00FE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,00FE85CC,?,01078CC8,0000000C), ref: 00FE8704
GetLastError.KERNEL32(?,00FE85CC,?,01078CC8,0000000C), ref: 00FE870E
__dosmaperr.LIBCMT ref: 00FE8739

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 783ab2411e2fd6be9bf16170863f722d3459e235338bf653bd40801df04d6f16
Instruction ID: 2c7a6fad6f749b1421dc1127bc27971ac8479d564b0c0252f2dac04160d4f8ca
Opcode Fuzzy Hash: 783ab2411e2fd6be9bf16170863f722d3459e235338bf653bd40801df04d6f16
Instruction Fuzzy Hash: 70012B33E056E02AD7347236A945B7E774A4B81BF8F390119F81C9B1D3DEA98C82B251

Function 00FBDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00FBDB7B
DispatchMessageW.USER32(?), ref: 00FBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBDB9F
Sleep.KERNEL32(0000000A), ref: 00FBDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 01001CC9

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 06ce160bb91b52e1fddfd005f09c58f9d98d9b6de784bc902d32b3608d72c091
Instruction ID: 97338a4bee6547e6b6e1c41e6dedc71b0d1cc453a459720e0151d45b125dd931
Opcode Fuzzy Hash: 06ce160bb91b52e1fddfd005f09c58f9d98d9b6de784bc902d32b3608d72c091
Instruction Fuzzy Hash: D3F05E706093449BFB30DB61CD89FEA77ACEF84310F104618E68A830C0EB35D088DB26

Function 00FC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FC17F6

Strings

CALL, xrefs: 00FC17C6

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c4c2e51ce346a201b9b350376a495bdb7a5cb91a7a5eb18c390eef5c1c09c250
Instruction ID: 39837e2781d8f52cd3dd4ce7cccd64a073c5035d090c8cf5b5e9ae0352dcbd08
Opcode Fuzzy Hash: c4c2e51ce346a201b9b350376a495bdb7a5cb91a7a5eb18c390eef5c1c09c250
Instruction Fuzzy Hash: B4228E705082029FD714DF14C981F2ABBF2BF86314F18895DF4968B392D736E865DB92

Function 00FB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00FF2C8C

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

Part of subcall function 00FB2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00FB2DC4

Strings

X, xrefs: 00FF2C5A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 66d792267aaac53cfe796c0951cc60e0565ba82f09427e3f49dcf5f8e56cbab2
Instruction ID: da95d987334e758308e8e0857df53b78302a6f50d1afca7ae3f94128068d6fe9
Opcode Fuzzy Hash: 66d792267aaac53cfe796c0951cc60e0565ba82f09427e3f49dcf5f8e56cbab2
Instruction Fuzzy Hash: 9B21F071E002489FDB41EF95CC45BEE7BF8AF48310F00801AE545A7281DBB89A899FA1

Function 00FB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB3908

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 08c506dc779bccbd2813ae137a6d0296dc4ad2656a06ae0802b40b410dc70004
Instruction ID: 96cd740c46ba613721d9ad0044aa47d78b73189b9a05044113bffe3c521daecb
Opcode Fuzzy Hash: 08c506dc779bccbd2813ae137a6d0296dc4ad2656a06ae0802b40b410dc70004
Instruction Fuzzy Hash: 63317AB19443019FE320DF25D58479ABBE8FB49718F00092EE5DA83240E776AA44DB52

Function 00FCF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FCF661

Part of subcall function 00FBD730: GetInputState.USER32 ref: 00FBD807

Sleep.KERNEL32(00000000), ref: 0100F2DE

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 8f875612f194a627f08cf547b3dc408bdc5eac697abf00c7519f59e328498c1b
Instruction ID: 65e621c482bcba08d399b3c8644aa2dd8f006481ea005aeb7cfb1524b7224185
Opcode Fuzzy Hash: 8f875612f194a627f08cf547b3dc408bdc5eac697abf00c7519f59e328498c1b
Instruction Fuzzy Hash: 81F0A7752402059FE320EF75D945F9AB7E8FF45760F000029E89AC7350DB74A800DF91

Function 00FBB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FBBB4E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c756c8916e55a53e0bbfa8edb0d9db60002d8026cd0c22d8af34897dcd3be190
Instruction ID: 8e09f79535057b571f619e21c842a54cb71d5447a6adc6a327705408e153a3ad
Opcode Fuzzy Hash: c756c8916e55a53e0bbfa8edb0d9db60002d8026cd0c22d8af34897dcd3be190
Instruction Fuzzy Hash: BE32CA31A042099FEB21CF19C894BFEB7B9EF44350F148059E986AB295C7B8ED41DF91

Function 010358A2 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 01035930

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 4ff79ed438b62cd945df70f06cc4cb730d0bb4079cc4862db1c17333670f8fff
Instruction ID: f57679f61f1bf87b121a43242c8a01b0e909ac00cc21da81db6aea1b8a564739
Opcode Fuzzy Hash: 4ff79ed438b62cd945df70f06cc4cb730d0bb4079cc4862db1c17333670f8fff
Instruction Fuzzy Hash: D3719F30600205AFDB14DF58CC91EBEBBF9FF98314F10806DEA859B2A1D775A942DB90

Function 00FB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E9C
Part of subcall function 00FB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB4EAE
Part of subcall function 00FB4E90: FreeLibrary.KERNEL32(00000000,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4EFD

Part of subcall function 00FB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E62
Part of subcall function 00FB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4E74
Part of subcall function 00FB4E59: FreeLibrary.KERNEL32(00000000,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E87

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: eef8c7f1d735b931be025cb49d91ef1cd520b0d8e1c1e7ec2e2cc200d606453f
Instruction ID: f1197d086b067dd8a7a219fa3e6aea813014a579548c5db1c085bebe73029bb2
Opcode Fuzzy Hash: eef8c7f1d735b931be025cb49d91ef1cd520b0d8e1c1e7ec2e2cc200d606453f
Instruction Fuzzy Hash: 2A11C432600205ABDB14BB66DE12BED77A59F40B10F10442DF582AB1D2DE79EA45BF50

Function 00FE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FE8440

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 15127d39d69e2b889b8cdde5e7dcec624484c499b6545426ca566077e45a09e8
Instruction ID: 457297c24c14debe1e5dbc9bf67888c4e496f37d6f1d012afd7f960a2db6507a
Opcode Fuzzy Hash: 15127d39d69e2b889b8cdde5e7dcec624484c499b6545426ca566077e45a09e8
Instruction Fuzzy Hash: E811487190410AAFCB15DF59E9409DE7BF4EF48310F104059F808AB352DA31DA12DBA4

Function 00FE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE4C7D: RtlAllocateHeap.NTDLL(00000008,00FB1129,00000000,?,00FE2E29,00000001,00000364,?,?,?,00FDF2DE,00FE3863,01081444,?,00FCFDF5,?), ref: 00FE4CBE

_free.LIBCMT ref: 00FE506C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 2f8bc668e807b379a321d451a00c0a1fb8ec51e418a24d07d612265820cea7a0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BB0126726047456BE3218E6A9C85A5AFBEDFB89370F25051DF284832C0EA70A805C6B4

Function 010429BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,010414B5,?), ref: 01042A01

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: f26c88adb3ea1fc3a4cc02948198367f33f8cb7abf9708d07c39d67b44f96948
Instruction ID: 5c4c03d83b39d820e36151d0809d536d2b4a052dbad7717a00698d4eb7eee231
Opcode Fuzzy Hash: f26c88adb3ea1fc3a4cc02948198367f33f8cb7abf9708d07c39d67b44f96948
Instruction Fuzzy Hash: 2701B979300641DFE365CA2CE5D4B2537D2EF85254F2984B8E5C78B251D732EC52C7A0

Function 00FDE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d4799f8d2652ab9252e78d002943ba0ed7cc5d456ab89455dcfed4f29d48fcb4
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C0F02D32521A1496C7313A6ACC05B5A339E9F52375F18071BF425973D2DB7CE802B9A6

Function 00FB9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB9CBD

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 2a5568052486cbf4e0cd30e36d7b9dc833817de7baba896c94b7e8b926ea76a8
Instruction ID: 0e3c124a0b0474b8c9eb2c82cca0feb56f7f9300a48bce514180792fcebc44f3
Opcode Fuzzy Hash: 2a5568052486cbf4e0cd30e36d7b9dc833817de7baba896c94b7e8b926ea76a8
Instruction Fuzzy Hash: 9AF0F4B36006016ED7149F29CC02FAABB95EB44760F10852AF619CB2D1DB75E4149AA0

Function 00FE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FB1129,00000000,?,00FE2E29,00000001,00000364,?,?,?,00FDF2DE,00FE3863,01081444,?,00FCFDF5,?), ref: 00FE4CBE

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 55a6b2d496a5650680c94da0641fac8c51f7a6874b101c520c13630b7a4b3355
Instruction ID: a71da4327185e7545ff85a513fb66a574dd7c81abc2ef147df6958792852d035
Opcode Fuzzy Hash: 55a6b2d496a5650680c94da0641fac8c51f7a6874b101c520c13630b7a4b3355
Instruction Fuzzy Hash: D1F05932A032B067DB205F6B9C05F5A3789BF413B0B38411AB80AE7680CA34F800B2F0

Function 00FE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b4b52790ec55a5f1e68b3bb77e15c1be7d470a834ea269d91c001c04d472894
Instruction ID: b0f3d810b4ebbea906cab380615ed64d8450a594ce036a6332459f45bc7f8119
Opcode Fuzzy Hash: 6b4b52790ec55a5f1e68b3bb77e15c1be7d470a834ea269d91c001c04d472894
Instruction Fuzzy Hash: C2E0E5339012A467E73126679C0DB9A3749AF827B0F090122BC4593580CB25EF01B2E0

Function 00FB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4F6D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1baedd62199d1856567f1a4fb5ac92b8c2af5c3abb35860fa65455906474eb69
Instruction ID: 0040c522b8600feeb0e9167b6cd8951d06f55cf8a0ca4b95aa7e84a11ae02fb0
Opcode Fuzzy Hash: 1baedd62199d1856567f1a4fb5ac92b8c2af5c3abb35860fa65455906474eb69
Instruction Fuzzy Hash: B7F03071505751CFDB349F65D590962B7F4EF14329314897EE1EA83612C731A844EF10

Function 01042A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01042A66

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ca84db04b6e23ee209998b8554fb85c00f1538f60aa8f9f7f64751a1efafe59b
Instruction ID: db9cb42bf6dc7ede2ea00dbcccc713aa5350f183d90db67c9ed0f0158feed5f0
Opcode Fuzzy Hash: ca84db04b6e23ee209998b8554fb85c00f1538f60aa8f9f7f64751a1efafe59b
Instruction Fuzzy Hash: 71E086B6354127ABD754EA30FCC48FE775CEF642957004536FC96C7100DB3499A686E0

Function 00FB30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FB314E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 086a0e34011a30f66a0c7a30c50ce0599851a3a695225edf5f2cea2593874e3a
Instruction ID: 9ab68a42aa1137cd82b8d2ed49c943067a6d03b77b3cced7eb9c9b8083b88b4e
Opcode Fuzzy Hash: 086a0e34011a30f66a0c7a30c50ce0599851a3a695225edf5f2cea2593874e3a
Instruction Fuzzy Hash: 76F0A7709043049FE7629B24D8467D97BBCAB01708F0000E5A1C896285DB794789CF41

Function 00FB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00FB2DC4

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 01ba094a58b4bad517a5672440bd9afcaf9fa1279bb7ea914fa0895def6f4f2b
Instruction ID: 74eb3525a45df9afba405ddf22f6e75de80f04af22ec627e5b7426c1b8c34258
Opcode Fuzzy Hash: 01ba094a58b4bad517a5672440bd9afcaf9fa1279bb7ea914fa0895def6f4f2b
Instruction Fuzzy Hash: DEE0CD766011245BC72092599C05FEA77EDDFC8790F044071FD09D7248D968AD808650

Function 00FB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB3908

Part of subcall function 00FBD730: GetInputState.USER32 ref: 00FBD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FB2B6B

Part of subcall function 00FB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FB314E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c6cc118cd31fd4df56d47c725d18c57ae0c3d5cf2c22fba21846430b3cd23eff
Instruction ID: d32cf88fef08981a17ddede301699b7559cb8a7e1d88786637acd3e812c59d70
Opcode Fuzzy Hash: c6cc118cd31fd4df56d47c725d18c57ae0c3d5cf2c22fba21846430b3cd23eff
Instruction Fuzzy Hash: 26E0263270820407CA04BA769C524EDB3599FD5351F40153EF1C243153CE3D86465B12

Function 00FF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00FF0704,?,?,00000000,?,00FF0704,00000000,0000000C), ref: 00FF03B7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e5a7739800f3358c31eab8966c3c27af218d3e20f3266ec135ed848f63bf5c0f
Instruction ID: be86c52b115530e6335bf60115650b5bac3866bc8edfe67ccb29003750b09e4d
Opcode Fuzzy Hash: e5a7739800f3358c31eab8966c3c27af218d3e20f3266ec135ed848f63bf5c0f
Instruction Fuzzy Hash: CDD06C3204010DBBDF128E84DE46EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00FB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FB1CBC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 793c338a1396127c276ee940f99be6d58a528001c9b7890417b9dda3d2bd9aa3
Instruction ID: e3aa617f0a668cb88f703380e477c1dc95acb5cd09c013c59e36674bb0f8bdf7
Opcode Fuzzy Hash: 793c338a1396127c276ee940f99be6d58a528001c9b7890417b9dda3d2bd9aa3
Instruction Fuzzy Hash: 3AC04C352842049FF2244680B94AF587755A748B00F048001F6C9555C782B71450D750

Non-executed Functions

Function 01049576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0104961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0104969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010496C9
SendMessageW.USER32 ref: 010496F2
GetKeyState.USER32(00000011), ref: 0104978B
GetKeyState.USER32(00000009), ref: 01049798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010497AE
GetKeyState.USER32(00000010), ref: 010497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010497E9
SendMessageW.USER32 ref: 01049810
SendMessageW.USER32(?,00001030,?,01047E95), ref: 01049918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0104992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01049941
SetCapture.USER32(?), ref: 0104994A
ClientToScreen.USER32(?,?), ref: 010499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010499D6
ReleaseCapture.USER32 ref: 010499E1
GetCursorPos.USER32(?), ref: 01049A19
ScreenToClient.USER32(?,?), ref: 01049A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01049A80
SendMessageW.USER32 ref: 01049AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01049AEB
SendMessageW.USER32 ref: 01049B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01049B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01049B4A
GetCursorPos.USER32(?), ref: 01049B68
ScreenToClient.USER32(?,?), ref: 01049B75
GetParent.USER32(?), ref: 01049B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01049BFA
SendMessageW.USER32 ref: 01049C2B
ClientToScreen.USER32(?,?), ref: 01049C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01049CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01049CDE
SendMessageW.USER32 ref: 01049D01
ClientToScreen.USER32(?,?), ref: 01049D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01049D82

Part of subcall function 00FC9944: GetWindowLongW.USER32(?,000000EB), ref: 00FC9952

GetWindowLongW.USER32(?,000000F0), ref: 01049E05

Strings

F, xrefs: 01049D07
@GUI_DRAGID, xrefs: 0104997D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b5dbbcdb95600449c970d8211b09fdfb1c28bb95a459cf2c0e972c9abd653109
Instruction ID: 52462a60ca60c2129865e3eb71b27db0d11e55dc59113314d1df29dd816dd05c
Opcode Fuzzy Hash: b5dbbcdb95600449c970d8211b09fdfb1c28bb95a459cf2c0e972c9abd653109
Instruction Fuzzy Hash: F0428BB4208201AFE725CF28C985EABBBE5FF4C318F004669F6D9872A1D735A851CF51

Function 01044873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01044908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01044927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0104494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0104495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0104497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01044A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01044A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01044A7E
IsMenu.USER32(?), ref: 01044A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01044AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01044B20
GetWindowLongW.USER32(?,000000F0), ref: 01044B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01044BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01044C82
wsprintfW.USER32 ref: 01044CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01044CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01044CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01044D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01044D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01044D5A

Strings

%d/%02d/%02d, xrefs: 01044CA8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 9cb5464faff288713abcd4afc4e22a36c28cf43957cd85d92abce9ace96758d9
Instruction ID: 389448c5fe15bfeea23462ebce3e58827f5089a862b873f5b7526c5786c16c0e
Opcode Fuzzy Hash: 9cb5464faff288713abcd4afc4e22a36c28cf43957cd85d92abce9ace96758d9
Instruction Fuzzy Hash: 4812F2B1600214ABFB259F28CD89FAE7BF8EF45310F044169F996DB2D1DB789941CB50

Function 00FCF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FCF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100F474
IsIconic.USER32(00000000), ref: 0100F47D
ShowWindow.USER32(00000000,00000009), ref: 0100F48A
SetForegroundWindow.USER32(00000000), ref: 0100F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100F4AA
GetCurrentThreadId.KERNEL32 ref: 0100F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0100F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0100F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0100F4DE
SetForegroundWindow.USER32(00000000), ref: 0100F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F4F6
keybd_event.USER32(00000012,00000000), ref: 0100F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F50B
keybd_event.USER32(00000012,00000000), ref: 0100F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F519
keybd_event.USER32(00000012,00000000), ref: 0100F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F528
keybd_event.USER32(00000012,00000000), ref: 0100F52D
SetForegroundWindow.USER32(00000000), ref: 0100F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0100F557

Strings

Shell_TrayWnd, xrefs: 0100F46F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bfea92310dff228cfbca8442b924b244774dd4c1e50b94e43c89620948200999
Instruction ID: 400e3ff5b6c68aab3f786f50adaded5487d2308a038c80fb5d30bec5104101ae
Opcode Fuzzy Hash: bfea92310dff228cfbca8442b924b244774dd4c1e50b94e43c89620948200999
Instruction Fuzzy Hash: 343194B5A41218BBFB316BB54E8AFBF7E6CEB44B50F100055FB40E61C1C7B65940ABA0

Function 01011201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101170D
Part of subcall function 010116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101173A
Part of subcall function 010116C3: GetLastError.KERNEL32 ref: 0101174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01011286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010112A8
CloseHandle.KERNEL32(?), ref: 010112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010112D1
GetProcessWindowStation.USER32 ref: 010112EA
SetProcessWindowStation.USER32(00000000), ref: 010112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01011310

Part of subcall function 010110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010111FC), ref: 010110D4
Part of subcall function 010110BF: CloseHandle.KERNEL32(?,?,010111FC), ref: 010110E9

Strings

winsta0, xrefs: 010112CC
default, xrefs: 0101130B
, xrefs: 0101125A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 61016e14f43c8f0a70bd14bfc39c1cb42a8b1df5e859f0133f25c53ed033343d
Instruction ID: 9be07ae51160f52ffe56f472c6f2b3a6c7347c44f31f897d78a40952f25d318a
Opcode Fuzzy Hash: 61016e14f43c8f0a70bd14bfc39c1cb42a8b1df5e859f0133f25c53ed033343d
Instruction Fuzzy Hash: 4781B1B1900209AFEF259FA8DD49FEE7FB9EF08700F044069FB90A6154CB399944CB61

Function 01010B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01011114
Part of subcall function 010110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011120
Part of subcall function 010110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 0101112F
Part of subcall function 010110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011136
Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01010BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01010C00
GetLengthSid.ADVAPI32(?), ref: 01010C17
GetAce.ADVAPI32(?,00000000,?), ref: 01010C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01010C6D
GetLengthSid.ADVAPI32(?), ref: 01010C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01010C8C
HeapAlloc.KERNEL32(00000000), ref: 01010C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01010CB4
CopySid.ADVAPI32(00000000), ref: 01010CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01010CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01010D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01010D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010D45
HeapFree.KERNEL32(00000000), ref: 01010D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010D55
HeapFree.KERNEL32(00000000), ref: 01010D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010D65
HeapFree.KERNEL32(00000000), ref: 01010D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01010D78
HeapFree.KERNEL32(00000000), ref: 01010D7F

Part of subcall function 01011193: GetProcessHeap.KERNEL32(00000008,01010BB1,?,00000000,?,01010BB1,?), ref: 010111A1
Part of subcall function 01011193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01010BB1,?), ref: 010111A8
Part of subcall function 01011193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01010BB1,?), ref: 010111B7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f47b0c6f280f7378acd8333d6dc857d3796eadc9d85797ca065db7080dd0acb7
Instruction ID: b672d2b158bc3b2308c7eb4b17303fe093551d7a7a39254fb6fe9d151e69f773
Opcode Fuzzy Hash: f47b0c6f280f7378acd8333d6dc857d3796eadc9d85797ca065db7080dd0acb7
Instruction Fuzzy Hash: D1718EB590120AABEF20DFA4DD84BEEBBB8BF05300F044155FA94A6188D779A945CB60

Function 0102EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0104CC08), ref: 0102EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0102EB37
GetClipboardData.USER32(0000000D), ref: 0102EB43
CloseClipboard.USER32 ref: 0102EB4F
GlobalLock.KERNEL32(00000000), ref: 0102EB87
CloseClipboard.USER32 ref: 0102EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0102EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0102EBC9
GetClipboardData.USER32(00000001), ref: 0102EBD1
GlobalLock.KERNEL32(00000000), ref: 0102EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0102EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0102EC38
GetClipboardData.USER32(0000000F), ref: 0102EC44
GlobalLock.KERNEL32(00000000), ref: 0102EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0102EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0102EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0102ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0102ECF3
CountClipboardFormats.USER32 ref: 0102ED14
CloseClipboard.USER32 ref: 0102ED59

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7cbf5d20d7217e42b3df862a640e67f4e1a78592563b632d17143f3c9db9f899
Instruction ID: 2983c88d30530794d0a664058de0386636881da3c433a122ed157a82a428fbc9
Opcode Fuzzy Hash: 7cbf5d20d7217e42b3df862a640e67f4e1a78592563b632d17143f3c9db9f899
Instruction Fuzzy Hash: 3961F3782443019FE311EF28CA84F6A7BE4EF84714F18455DF5D687292CB76E905CB62

Function 0102698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010269BE
FindClose.KERNEL32(00000000), ref: 01026A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01026A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01026A75

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01026AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01026ADF

Strings

%4d, xrefs: 01026BB1
%4d%02d%02d%02d%02d%02d, xrefs: 01026B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01026B32
%03d, xrefs: 01026DA2
%02d, xrefs: 01026C00, 01026C0A, 01026C5A, 01026CAA, 01026CFA, 01026D4A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cb7e09056166d069f07f547b58569ae07f041c2e958cb39b852030fbbc6fe8e7
Instruction ID: da18783933ad18cacfcaf783b2b986d5206bca76be8508481c3595e20b63bf2e
Opcode Fuzzy Hash: cb7e09056166d069f07f547b58569ae07f041c2e958cb39b852030fbbc6fe8e7
Instruction Fuzzy Hash: 07D162B1508300AFC710EBA5CD92EABB7ECAF88704F44491DF989C7151EB79DA44DB62

Function 01029642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 01029663
GetFileAttributesW.KERNEL32(?), ref: 010296A1
SetFileAttributesW.KERNEL32(?,?), ref: 010296BB
FindNextFileW.KERNEL32(00000000,?), ref: 010296D3
FindClose.KERNEL32(00000000), ref: 010296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0102974A
SetCurrentDirectoryW.KERNEL32(01076B7C), ref: 01029768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01029772
FindClose.KERNEL32(00000000), ref: 0102977F
FindClose.KERNEL32(00000000), ref: 0102978F

Strings

*.*, xrefs: 010296F5

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 61701949f08a40e52e0d223639dcb40aad0a0921929d2ce2d39f237b522d2537
Instruction ID: f6e79525d3946f0a811b4043733744778127a5ec2b6cd476c57f454013593269
Opcode Fuzzy Hash: 61701949f08a40e52e0d223639dcb40aad0a0921929d2ce2d39f237b522d2537
Instruction Fuzzy Hash: 643128715016396BFB20AEB9DE4CADE37ECAF09225F00409AF585E2080D735C984CB14

Function 0102979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 010297BE
FindNextFileW.KERNEL32(00000000,?), ref: 01029819
FindClose.KERNEL32(00000000), ref: 01029824
FindFirstFileW.KERNEL32(*.*,?), ref: 01029840
SetCurrentDirectoryW.KERNEL32(?), ref: 01029890
SetCurrentDirectoryW.KERNEL32(01076B7C), ref: 010298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010298B8
FindClose.KERNEL32(00000000), ref: 010298C5
FindClose.KERNEL32(00000000), ref: 010298D5

Part of subcall function 0101DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0101DB00

Strings

*.*, xrefs: 0102983B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: facaafa5869e58cd475a16abcaed1489dac33a9088f3119a86e3e9b9897301fd
Instruction ID: 16f4d1888ad2b8a8f7bcaef28b51fc57bea7c1405021467de1b5e1326830c761
Opcode Fuzzy Hash: facaafa5869e58cd475a16abcaed1489dac33a9088f3119a86e3e9b9897301fd
Instruction Fuzzy Hash: ED312C31501639AFFF24EFB9DD489DE37BCAF05224F18409AE5C4A2190D775D944CB24

Function 0103BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0103BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0103BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0103C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0103C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0103C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0103C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0103C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0103C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0103C382
RegCloseKey.ADVAPI32(00000000), ref: 0103C38F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 9cbc516545fdb36cdef418f36d2ecebdc257682a9ce79a1aa2a408977cfb35c7
Instruction ID: e18092dd480c8a4d6f7b6b71f92e6233fd50de120f3838f2afe334f650be24c2
Opcode Fuzzy Hash: 9cbc516545fdb36cdef418f36d2ecebdc257682a9ce79a1aa2a408977cfb35c7
Instruction Fuzzy Hash: FC026F716042009FE754DF28C995E2ABBE9EF89308F08C49DF48ADB2A2D735ED45CB51

Function 01028195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01028257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01028267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01028273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01028310
SetCurrentDirectoryW.KERNEL32(?), ref: 01028324
SetCurrentDirectoryW.KERNEL32(?), ref: 01028356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0102838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01028395

Strings

*.*, xrefs: 0102839B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f1c0ab3f7cbec30c31d1ec0cf4467f8eda3907df8a6dcd1fb8abeb582a131b17
Instruction ID: e4eb3b45567e0e7479ce3fe904b5145174d796d567b715f05283f5a83e08698e
Opcode Fuzzy Hash: f1c0ab3f7cbec30c31d1ec0cf4467f8eda3907df8a6dcd1fb8abeb582a131b17
Instruction Fuzzy Hash: 6D617BB65083159FD710EF64C8849AEB3E8FF89310F04895EF98987251EB39E945CF92

Function 0101D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

Part of subcall function 0101E199: GetFileAttributesW.KERNEL32(?,0101CF95), ref: 0101E19A

FindFirstFileW.KERNEL32(?,?), ref: 0101D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0101D1DD
MoveFileW.KERNEL32(?,?), ref: 0101D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0101D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101D237

Part of subcall function 0101D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0101D21C,?,?), ref: 0101D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0101D253
FindClose.KERNEL32(00000000), ref: 0101D264

Strings

\*.*, xrefs: 0101D0CD, 0101D0D6, 0101D0EB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a3b9cfaed43c39bce33322bd3627563e324b6f26bc0220586032a5507aca8410
Instruction ID: b709127d25255e65580f4e451d8a45eae9aeca14505fd7950514486d2768a65e
Opcode Fuzzy Hash: a3b9cfaed43c39bce33322bd3627563e324b6f26bc0220586032a5507aca8410
Instruction Fuzzy Hash: 5C61BC3180510DABDF05EBE5CE969EDBBB5AF21300F6440A5E48273195EB39AF09DF60

Function 0102ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0102ED91
EmptyClipboard.USER32 ref: 0102ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0102EDAC
CloseClipboard.USER32 ref: 0102EEA3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 170e9ce573434552f090110c0607145c518a600fa1799902c794a4a36d2c2b0b
Instruction ID: ce5bb36b5124c816e440c5e406bcbb5f1c93ec6c5e3dd1b7b1706bccbec7ae8e
Opcode Fuzzy Hash: 170e9ce573434552f090110c0607145c518a600fa1799902c794a4a36d2c2b0b
Instruction Fuzzy Hash: C141B1752056219FE720DF19D588B19BBE5FF44318F04C099E49A8B762C77AFC41CB90

Function 0101E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101170D
Part of subcall function 010116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101173A
Part of subcall function 010116C3: GetLastError.KERNEL32 ref: 0101174A

ExitWindowsEx.USER32(?,00000000), ref: 0101E932

Strings

@, xrefs: 0101E925
, xrefs: 0101E95C
, xrefs: 0101E920
SeShutdownPrivilege, xrefs: 0101E902

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 082a78e72ede3c779087bf741de895e0704d24cc2117d50e89bdf8e358dbec02
Instruction ID: 8d7965e5fab195ea5c8befd5c48e50b912f173b2dc4d811c172e58e3a0e0dcfe
Opcode Fuzzy Hash: 082a78e72ede3c779087bf741de895e0704d24cc2117d50e89bdf8e358dbec02
Instruction Fuzzy Hash: 80014972A10311ABFB6622B8DD85FFF729DAB18740F040822FDC3E20C5D5AE5C4082A4

Function 01031204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 01031276
WSAGetLastError.WSOCK32 ref: 01031283
bind.WSOCK32(00000000,?,00000010), ref: 010312BA
WSAGetLastError.WSOCK32 ref: 010312C5
closesocket.WSOCK32(00000000), ref: 010312F4
listen.WSOCK32(00000000,00000005), ref: 01031303
WSAGetLastError.WSOCK32 ref: 0103130D
closesocket.WSOCK32(00000000), ref: 0103133C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 27eb58b121116f5bcf0cdb7cdc06c5a6a1bf6644f6b5e0a9ac528cdaba4efdb0
Instruction ID: 57681a1459f29723688fd94c92e32a3af677d52dc03ece6867e1f1d76badd4a0
Opcode Fuzzy Hash: 27eb58b121116f5bcf0cdb7cdc06c5a6a1bf6644f6b5e0a9ac528cdaba4efdb0
Instruction Fuzzy Hash: B94174756001009FE720DF68C584B69BBE9AF8A314F1881D8D9969F296C775EC81CBE1

Function 0101D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

Part of subcall function 0101E199: GetFileAttributesW.KERNEL32(?,0101CF95), ref: 0101E19A

FindFirstFileW.KERNEL32(?,?), ref: 0101D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0101D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101D481
FindClose.KERNEL32(00000000), ref: 0101D498
FindClose.KERNEL32(00000000), ref: 0101D4A1

Strings

\*.*, xrefs: 0101D3F2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ea9446d548e9e2e3efdd7b13659b7ac7ed50b6690e601d1566d7273192b19d54
Instruction ID: 14245ac66da7f797f750bd2509420cd7a553ce117dd0b7a06f7514006e16265b
Opcode Fuzzy Hash: ea9446d548e9e2e3efdd7b13659b7ac7ed50b6690e601d1566d7273192b19d54
Instruction Fuzzy Hash: D631CE71048341ABC301EFA5CD958EFB7E8BE91200F844A1DF4D583191EF28EA09DB63

Function 00FEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FEE645

Strings

1#IND, xrefs: 00FEF83D
1#SNAN, xrefs: 00FEF844
1#INF, xrefs: 00FEF852
1#QNAN, xrefs: 00FEF84B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fb2fba032dcd31ed223f15a0b151ce5829953f7eb94ff37bcfede494ad11d160
Instruction ID: 0c572fc91ca07f5a8f9a6e7029b674f6ba382b50af06c05b4823156c002fa39e
Opcode Fuzzy Hash: fb2fba032dcd31ed223f15a0b151ce5829953f7eb94ff37bcfede494ad11d160
Instruction Fuzzy Hash: 86C26D72E046688FDB25CF29DD407EAB7B5EB88314F1441EAD44DE7240E778AE859F40

Function 0102648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010264DC
CoInitialize.OLE32(00000000), ref: 01026639
CoCreateInstance.OLE32(0104FCF8,00000000,00000001,0104FB68,?), ref: 01026650
CoUninitialize.OLE32 ref: 010268D4

Strings

.lnk, xrefs: 010264BA, 01026524, 010265E0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: eb29866bcc9a8fc35cd24ecb4486e9e6c6e36ffd44cc0d329e0bf4b90b406d3a
Instruction ID: 2bad5379ee06c184e10ff9ef8fd3686820bfe3d40367ede82c37e577ecd184ad
Opcode Fuzzy Hash: eb29866bcc9a8fc35cd24ecb4486e9e6c6e36ffd44cc0d329e0bf4b90b406d3a
Instruction Fuzzy Hash: 15D16A71508311AFD314EF25C881EABBBE8FF98304F10496DF5958B291EB75E905CBA2

Function 01029B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01029B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01029C8B

Part of subcall function 01023874: GetInputState.USER32 ref: 010238CB
Part of subcall function 01023874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01023966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01029BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01029C75

Strings

*.*, xrefs: 01029B5D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3319fc83f9dc685b54c5b9347569f5c07a6d8e471e12a43d9df665673f12de06
Instruction ID: 2e0369adc3cd862838fcfbba907f2a928e8eba06d2ecb68b97ce7eefe433a004
Opcode Fuzzy Hash: 3319fc83f9dc685b54c5b9347569f5c07a6d8e471e12a43d9df665673f12de06
Instruction Fuzzy Hash: A241D27190022EAFEF51DF64C985AEE7BF8FF05304F24409AE945A3191EB309A84CF60

Function 00FC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FC9A4E
GetSysColor.USER32(0000000F), ref: 00FC9B23
SetBkColor.GDI32(?,00000000), ref: 00FC9B36

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9e855eff11f10b20e127b6ecfc0c963a333850f41ddba7926ea039accc6403f5
Instruction ID: 0cfb2d5f68cc08db747fd0a5292e42f8b513c8d5c661b6a3bff64fba80273d71
Opcode Fuzzy Hash: 9e855eff11f10b20e127b6ecfc0c963a333850f41ddba7926ea039accc6403f5
Instruction Fuzzy Hash: 4CA107B150C046BEF7299A2C8E8EFBF399DEB46350F14015DF1C2965C5CAAD9D01E271

Function 01031806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103304E: inet_addr.WSOCK32(?), ref: 0103307A
Part of subcall function 0103304E: _wcslen.LIBCMT ref: 0103309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0103185D
WSAGetLastError.WSOCK32 ref: 01031884
bind.WSOCK32(00000000,?,00000010), ref: 010318DB
WSAGetLastError.WSOCK32 ref: 010318E6
closesocket.WSOCK32(00000000), ref: 01031915

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 35c5c0fb6b9b2b90555d0a2b5382b6d52aa15aea56f89d1f22e7a7a42f251ca8
Instruction ID: f054d06d3f756f28639abf46a1af8cda090f1646102056bd7710bc1b5656295b
Opcode Fuzzy Hash: 35c5c0fb6b9b2b90555d0a2b5382b6d52aa15aea56f89d1f22e7a7a42f251ca8
Instruction Fuzzy Hash: 46519875A002109FE710EF24C986F6A77E59B88718F08849CF9455F3C7C779AD418BE1

Function 0102CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0102CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0102CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0102C21E,00000000), ref: 0102CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0102C21E,00000000), ref: 0102CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0102C21E,00000000), ref: 0102CFF2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3fc8ee9e8af7241ed6ca37d56253ad6e3dbdfde1a7a3c2f68ceac163eb3a9109
Instruction ID: 528852196e3a52e0fe373598d6067e7251f1d6426e0185d71739df9c492270ec
Opcode Fuzzy Hash: 3fc8ee9e8af7241ed6ca37d56253ad6e3dbdfde1a7a3c2f68ceac163eb3a9109
Instruction Fuzzy Hash: 43318EB1500615EFFBA0DFA9CA84EAFBBF8EF04350B10446EF596D2141DB34AA45DB60

Function 01041C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01041CC0
IsWindowEnabled.USER32 ref: 01041CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01041CDB
IsIconic.USER32 ref: 01041CE9
IsZoomed.USER32 ref: 01041CF7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7f30071e273243b250709c5094110562fa11578da47705d26ac63c3e774a5b3f
Instruction ID: 0c7f8554864299479850b9bf938ef867280de0b4adb41c56585d8f515e09e4a0
Opcode Fuzzy Hash: 7f30071e273243b250709c5094110562fa11578da47705d26ac63c3e774a5b3f
Instruction Fuzzy Hash: E321D6B17012055FE7209F1AD9C4B6A7BE5EF89315F1880B8E8C98B341C776F882CB94

Function 00FB8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00FB813C
VUUU, xrefs: 00FB843C
VUUU, xrefs: 00FB83E8
VUUU, xrefs: 00FB83FA
VUUU, xrefs: 00FF5DF0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d270e174050309dc2360b6d72472cfd92d785ffcbe21d7b453c724c2363f4cbe
Instruction ID: 299b0f01062941b78e92fea72956a549a9f060c9ec9ff328a09c7ac26a27de93
Opcode Fuzzy Hash: d270e174050309dc2360b6d72472cfd92d785ffcbe21d7b453c724c2363f4cbe
Instruction Fuzzy Hash: A8A27B71E0021ACBDF24CF59C8407FDB7B5AF94764F2481AADA15A7294DB309D82EF90

Function 0103A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0103A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0103A6BA

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0103A79C
CloseHandle.KERNEL32(00000000), ref: 0103A7AB

Part of subcall function 00FCCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FF3303,?), ref: 00FCCE8A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 380a95a6ade9fd6f09de15d99cb57d90745971b66789063e29d48364e7414f8f
Instruction ID: 9591fdd5f8f13ee471d2af6c822303403547c6e0d7c174fd7e7d6bf6b83ab9ef
Opcode Fuzzy Hash: 380a95a6ade9fd6f09de15d99cb57d90745971b66789063e29d48364e7414f8f
Instruction Fuzzy Hash: 2F5169B1508301AFD710EF25CD86AABBBE8FF89714F00891DF58597251EB39D904DB92

Function 00FEBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FEBB7F

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

GetTimeZoneInformation.KERNEL32 ref: 00FEBB91
WideCharToMultiByte.KERNEL32(00000000,?,0108121C,000000FF,?,0000003F,?,?), ref: 00FEBC09
WideCharToMultiByte.KERNEL32(00000000,?,01081270,000000FF,?,0000003F,?,?,?,0108121C,000000FF,?,0000003F,?,?), ref: 00FEBC36

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 71ca21a603c42bc940fd43b5eed74ab34d5847a3f785a8e994bf9bd509b7c5ee
Instruction ID: 3aa04fe6f5a930c4b223f9f19fd3a21f93bfa5d89213eaae68d4aff2dd6efe41
Opcode Fuzzy Hash: 71ca21a603c42bc940fd43b5eed74ab34d5847a3f785a8e994bf9bd509b7c5ee
Instruction Fuzzy Hash: FD31A5B1D08285DFCB21DF6ADC8156EBBB8FF45320714425AE0D0D72A5D7359D11EB50

Function 0101DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00FF5222), ref: 0101DBCE
GetFileAttributesW.KERNEL32(?), ref: 0101DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0101DBEE
FindClose.KERNEL32(00000000), ref: 0101DBFA

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: df650e0f555a96af76f05aba5ffacf151418927b0df3577da346f669a1e525d8
Instruction ID: 4750fe9ef2a02a01df119dff16373beb5f5f390ab9f715962a9852cad36d92ac
Opcode Fuzzy Hash: df650e0f555a96af76f05aba5ffacf151418927b0df3577da346f669a1e525d8
Instruction Fuzzy Hash: 9FF0EC7441191597A3306BBC9F4D4AA37AC9F01334B104B42F5F5C10E4EBF9595487D5

Function 01018298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010182AA

Strings

|, xrefs: 010182DA
(, xrefs: 010182F0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4fc059f8c637ee46c6004a14957fe13c5f0263e8a1ed378dcbce60c33501df9c
Instruction ID: 8867a19adc1518d5011fb31ad30748ee444769a254c286ee101210e22c423ba1
Opcode Fuzzy Hash: 4fc059f8c637ee46c6004a14957fe13c5f0263e8a1ed378dcbce60c33501df9c
Instruction Fuzzy Hash: 6B323674A007059FDB28CF59C481A6AB7F0FF48310B15C5AEE99ADB3A5E774EA41CB40

Function 01025C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01025CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01025D17
FindClose.KERNEL32(?), ref: 01025D5F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2b339441632761923635de2b0550cce6964fbedc70286f77917103302c13a8b8
Instruction ID: cdd90ca96e01d2c00d38ca6e0499fe8a019ce1ea9896f9b2b481df7545bc4c6f
Opcode Fuzzy Hash: 2b339441632761923635de2b0550cce6964fbedc70286f77917103302c13a8b8
Instruction Fuzzy Hash: A551BB746046019FD324DF28C894E9AB7E4FF49314F14859EEA9A8B3A2CB34E905CF91

Function 00FE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FE271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FE2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FE2731

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ff05fe2eee98c580520ca5c81a6a0c0f2b12e6da27534f7527f36860ec4b8832
Instruction ID: 1a4fc8bb68a32aa02cbc7686de97eabf21585f41107b70d6d36397afb3446d33
Opcode Fuzzy Hash: ff05fe2eee98c580520ca5c81a6a0c0f2b12e6da27534f7527f36860ec4b8832
Instruction Fuzzy Hash: 0331D57490121CABCB61DF64DD8879CB7B8AF08310F5041EAE40CA7260EB349F819F44

Function 010251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01025238
SetErrorMode.KERNEL32(00000000), ref: 010252A1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0afb903a804c613a31441ce3e2c42c3a1b962efd3d344149b9d4493aca5c2108
Instruction ID: 2a75db941b01b77ba401c4b69913703db0f4ab7728d99f79186b314c15157ff4
Opcode Fuzzy Hash: 0afb903a804c613a31441ce3e2c42c3a1b962efd3d344149b9d4493aca5c2108
Instruction Fuzzy Hash: 5B314B75A001189FDB00DF54D884EEDBBB4FF49314F188099E945AB396DB36E859CBA0

Function 010116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FD0668
Part of subcall function 00FCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FD0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101173A
GetLastError.KERNEL32 ref: 0101174A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7b845fdb001e239eea77e60c3cd4c055093c7c6c4c789204650fc8cac65d8bcf
Instruction ID: 526310bb1d220b47d85e8ef2e27f37c50b88315f78f1109e87de01fd4f21ecaf
Opcode Fuzzy Hash: 7b845fdb001e239eea77e60c3cd4c055093c7c6c4c789204650fc8cac65d8bcf
Instruction Fuzzy Hash: C311CEB2400305AFE7289F64EDC6E6ABBF9FB04714B20852EF59653245EB75BC418B20

Function 0101D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0101D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0101D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0101D650

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1aa9634148c7c479825d483d9c85ba6f73a0733b66ab23008dc67b78f3011171
Instruction ID: 25adda8ae497e67ec2e4928290c3d9c53c4b70ec750698f318fa4540bb530ae2
Opcode Fuzzy Hash: 1aa9634148c7c479825d483d9c85ba6f73a0733b66ab23008dc67b78f3011171
Instruction Fuzzy Hash: 0D11A5B5E01228BFEB208F98DD48FAFBFBCEB49B50F104151F904E7284C2745A018BA1

Function 01011663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0101168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010116A1
FreeSid.ADVAPI32(?), ref: 010116B1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 649478a36e4aaf523900ecf54748ffd342b82e48950f9940c035adf34c883927
Instruction ID: b0faec7228f12f0484c3ec79d49745ca66106dca07cbc4d0d1802485f5e4d5c4
Opcode Fuzzy Hash: 649478a36e4aaf523900ecf54748ffd342b82e48950f9940c035adf34c883927
Instruction Fuzzy Hash: C8F06D7594130CBBEF00CFE4CA89EAEBBBCFB08200F004860F500E2180D335AA048B50

Function 0100D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0100D28C

Strings

X64, xrefs: 0100D2A8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7731a3ba950923721242b8eb4d7f405427b360f9639760b31bc6fcb86185c3d3
Instruction ID: f0dd8843a02c8b805f4e0db9ebd637f4b98bb49a1bacb47f41cbfb9c01a90267
Opcode Fuzzy Hash: 7731a3ba950923721242b8eb4d7f405427b360f9639760b31bc6fcb86185c3d3
Instruction Fuzzy Hash: A4D0C9B580211DEBDB90CA90D9C8EDDB37CBB14315F000155F146A2040D73495488F20

Function 00FDCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0ec09bfbf72540a9a835a91fdbcc500dca4054007af314270c8d849a4306da2f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F1021E71E0011A9BDF14CFA9C9806ADFBF2FF48324F29426AD919E7384D731A941DB94

Function 010268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01026918
FindClose.KERNEL32(00000000), ref: 01026961

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 40a7716a254376e3936945a83ce23cc503ea04fe5927219d6bd2df71e65a0e8c
Instruction ID: 8ac45eb550a19c07d12bb6cb7a2ca200bbb13d6b0dccc26fc99f7487b9113a2e
Opcode Fuzzy Hash: 40a7716a254376e3936945a83ce23cc503ea04fe5927219d6bd2df71e65a0e8c
Instruction Fuzzy Hash: 4F11D3756042109FD710DF2AC484A56BBE4FF85328F04C699F9A98F2A2CB35EC05CB90

Function 010237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01034891,?,?,00000035,?), ref: 010237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01034891,?,?,00000035,?), ref: 010237F4

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5d484545c30f3696cb7447cd43ab857254fcbab952663134115d582b6dc969cc
Instruction ID: c4a1cf5b9420bf9a918e24786cd695d1065fddfbeb122f205aab211972864b81
Opcode Fuzzy Hash: 5d484545c30f3696cb7447cd43ab857254fcbab952663134115d582b6dc969cc
Instruction Fuzzy Hash: 47F0ECB46052296BEB3016664D4DFEB3A9DFFC4761F000165F509D2185D5645904C7B0

Function 010110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010111FC), ref: 010110D4
CloseHandle.KERNEL32(?,?,010111FC), ref: 010110E9

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9ddec3d5e773f2a16a63160a3138723543dfb493b7e91c2019767a6f1abbf590
Instruction ID: 01fa13f55269a1594a00b28faeed41018438937d756e13779c0d37ea07b08d75
Opcode Fuzzy Hash: 9ddec3d5e773f2a16a63160a3138723543dfb493b7e91c2019767a6f1abbf590
Instruction Fuzzy Hash: 52E04F72005611AFF7352B21FE06F73BBE9EB04310B10882DF5A6804B5DB666C90EB10

Function 00FBCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01000C40

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: efbcd7726aa545fb5e6612818422ec1db139e31b26cb368cf6717a8dcc83636f
Instruction ID: 4e0cd668a339c98a4cf83ffebccfbb2c18efa8f522dc1b0f9279c97dde1748cd
Opcode Fuzzy Hash: efbcd7726aa545fb5e6612818422ec1db139e31b26cb368cf6717a8dcc83636f
Instruction Fuzzy Hash: BE32BF74900208DBDF15DF95C881BFEBBB5BF04344F1080A9E846AB286CB75AD45EFA0

Function 00FE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FE6766,?,?,00000008,?,?,00FEFEFE,00000000), ref: 00FE6998

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1184fe288ff2e6785ed18563fe0dae6b52c7545844f449d0520eafadcd9d03ad
Instruction ID: eae6ccfec06b48326eb75b1f31153e7824eebca2cf1b2b88d8a77087b52af0ad
Opcode Fuzzy Hash: 1184fe288ff2e6785ed18563fe0dae6b52c7545844f449d0520eafadcd9d03ad
Instruction Fuzzy Hash: F0B17D32A10648CFD715CF29C48AB647BE0FF153A4F258658E8D9CF2A2C335EA81DB40

Function 00FCB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0100851F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e71effcd8ba3a6a3f436c07dc32c8579ac99806d616c431d43f7a95ab4097c91
Instruction ID: 6bc4af39848ff12b81c46f21bd9cc5dede982e8ef4ee20e87b73372b62f28ae7
Opcode Fuzzy Hash: e71effcd8ba3a6a3f436c07dc32c8579ac99806d616c431d43f7a95ab4097c91
Instruction Fuzzy Hash: 27128E75D0022ADBDB15CF58C981BEEB7F5FF48310F1081AAE849EB295D7349A81DB90

Function 0102EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0102EABD

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 31dc09bb97396c2d21b6a6881b4cd506713f229b9efd343011509277378b20ea
Instruction ID: 82979a56aefc2179cce6dde32deba2460c98714eda9790722853cbcbb960c44b
Opcode Fuzzy Hash: 31dc09bb97396c2d21b6a6881b4cd506713f229b9efd343011509277378b20ea
Instruction Fuzzy Hash: D3E04F352002149FD710EF5AD844E9AF7EDAF98764F00845AFC8AC7351DBB4F8408BA1

Function 0101E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0101E37E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 27eb5ba48e83bb9c2a83add63fac3213c06026b2115b4995709e6a21abf316e2
Instruction ID: 76cf4470b07f809d6ca9cc0efc76cdf218603079584217e542a97fe3fd53baa5
Opcode Fuzzy Hash: 27eb5ba48e83bb9c2a83add63fac3213c06026b2115b4995709e6a21abf316e2
Instruction Fuzzy Hash: 60D05BF69502013DF67F093CCA3FF7E3948E301540F40D789B9C18558DD58D95445011

Function 00FD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FD03EE), ref: 00FD09DA

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e30b468dcd370fb597ce4eb0c9c979bb3df543af61a6ac2bee5615c2933c59bc
Instruction ID: 29bc029ac08ff65445c1443ec37554059e21f33ccab96ce3ad1c12cf16d18755
Opcode Fuzzy Hash: e30b468dcd370fb597ce4eb0c9c979bb3df543af61a6ac2bee5615c2933c59bc
Instruction Fuzzy Hash:

Function 00FD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FD798B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0bcec54859ad7e679b65416c172dfa5ec6e14ed46baba19462af35d8c1db25fc
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BB512572E0C7455ADB387568886A7BE73979B02360F2C050BD886DF382F619DE06F356

Function 00FE6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58340813ae995f8a32acd47bbeb83919726482b623e3881532716577c3c5885
Instruction ID: 84d44c8f69f79af992799ea23862d20a89d282e4049f3d1d8703eb6541053119
Opcode Fuzzy Hash: d58340813ae995f8a32acd47bbeb83919726482b623e3881532716577c3c5885
Instruction Fuzzy Hash: 54325732D29F818DD733A535D8223366249AFB73D5F25C737F81AB5999EB2AC4835200

Function 00FCCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad410da5bd3bebb3234123215b208b11da836efd24136b42fd274ebdc860aaab
Instruction ID: c4fd43e1b6d05baba6e642a8de4521efb0ef5f332cb99a5371ba0aea5db6d792
Opcode Fuzzy Hash: ad410da5bd3bebb3234123215b208b11da836efd24136b42fd274ebdc860aaab
Instruction Fuzzy Hash: 7A32F731A001868BFF26CE2CC695BBD7BE1EB45314F1882EAD6C9DB2D1D6349D81E741

Function 00FB7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035f929db5528c01ce687d21cd4c72a04cc6090f8be98af89113743e1ea913dd
Instruction ID: df34b0cdba744a7d7980f9d2c8b78e4afcc2f3e3c0daebb4dc7293aed475540e
Opcode Fuzzy Hash: 035f929db5528c01ce687d21cd4c72a04cc6090f8be98af89113743e1ea913dd
Instruction Fuzzy Hash: 7622C171E0460A9FDF14DF65C881BEEB3B6FF44710F148129E912AB2A1EB399914EF50

Function 00FB91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e818dac528888d23662ae14b2e9488a186c0a3ef52d4b1755bd720e11091cd5
Instruction ID: 77d9a11414bd6c51d7a4c9e15a8aac8d9bbe17563f6b274e49b822eb791f04cd
Opcode Fuzzy Hash: 5e818dac528888d23662ae14b2e9488a186c0a3ef52d4b1755bd720e11091cd5
Instruction Fuzzy Hash: 3002E6B1E0020AEBDB14DF54D881BADB7B5FF44300F108169E9069B3A0EB35AE14EF91

Function 00FE9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23fc04bdfdf04037809f78004f8876fb01129860b7ad7afff9a00b8affd420b
Instruction ID: dd070c1c981e252c5383d5eaf9418582bad1fd3ec475cee9c72a62292b6abacb
Opcode Fuzzy Hash: f23fc04bdfdf04037809f78004f8876fb01129860b7ad7afff9a00b8affd420b
Instruction Fuzzy Hash: 50B1DD30E2AF404DD72396398821337B65CBFBB6D5B91D71BFC6678E16EB2685834240

Function 00FD1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: de327eba4b9be7bbf82fb6790c97d8beb057792f55ff090eed8c67f93381cb6f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: DA915873A080A359DB294639857417EFFE36A923B131E079FD4F2CB2C5EE149554F620

Function 00FD1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: bc268fc8ae12e701db64e41a8dc059e572a10273281a9c1b3f5609f0f6d9a1df
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 139133736090A349DB694239857813EFFE35AA23B131E479FE4F2CB2C5EE248554F660

Function 00FD19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5ade836d50f2ba1a2e2700176c81c1f7ff226f23d3ed3932f0be03e06c472548
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 6D9143736090A35ADB2D427A857407EFFE26A923B131E079FD4F2CA2C5FD249564F620

Function 00FD7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a0e8338f4ae30d394ae593967e9a9e0a899335f3f4358955dadde2426327ec
Instruction ID: 0044475403c1d031b7f600f15e44cabb12c3c20a0073e958e124c2a47b8735d7
Opcode Fuzzy Hash: 27a0e8338f4ae30d394ae593967e9a9e0a899335f3f4358955dadde2426327ec
Instruction Fuzzy Hash: 18617932A0870956DA34BA288C96BBE3397DF81760F1C091BE843DF395F6199E43B355

Function 00FD7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6881065cb1fca9e28be1ecf94750afcc7befb2ccbb9d147fc015b3291199af01
Instruction ID: 5d0f5e1b21c5b005b7c5d6aa0435673f2387f18bca79bd88d46a8749373196d3
Opcode Fuzzy Hash: 6881065cb1fca9e28be1ecf94750afcc7befb2ccbb9d147fc015b3291199af01
Instruction Fuzzy Hash: 71617932E0870956DA387A288C52BBF73979F42764F1C095BE843DF381FA16ED42B255

Function 00FD1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b8c7e90210c7dae8e70810bc4190ebfa1ec5295057d372db13c03a4ad69e6ed5
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7A815673A090A319EB698279853443EFFE37A923B131E079FD4F2CA2D1ED248554F620

Function 01022046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008bf39707338cc9d983f86ebc8232bde26f408400f51856fa11cfb2ac2a7b53
Instruction ID: ece4be69f79a78f07b7dc9b32499637644add3f7ba539005fa8f4667404510ca
Opcode Fuzzy Hash: 008bf39707338cc9d983f86ebc8232bde26f408400f51856fa11cfb2ac2a7b53
Instruction Fuzzy Hash: 4421B7326206118BD728CEB9C86267E73E5A754314F25866EE4E7C77C5DE3AA904CB80

Function 01032ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01032B30
DeleteObject.GDI32(00000000), ref: 01032B43
DestroyWindow.USER32 ref: 01032B52
GetDesktopWindow.USER32 ref: 01032B6D
GetWindowRect.USER32(00000000), ref: 01032B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01032CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01032CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032CF8
GetClientRect.USER32(00000000,?), ref: 01032D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01032D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032DA8
GlobalFree.KERNEL32(00000000), ref: 01032DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0104FC38,00000000), ref: 01032DDB
GlobalFree.KERNEL32(00000000), ref: 01032DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01032E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01032E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103303F

Strings

, xrefs: 01032FC5
DISPLAY, xrefs: 01032EA2
static, xrefs: 01032D3A, 01032E91
AutoIt v3, xrefs: 01032CF2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aefec44401f60c49a5288460d31846f3012a051cabca043dd429e7b944057986
Instruction ID: b5d479a259b64884447a2c3a9223abab54f08cd9c661ff2c3e86b238aedc940a
Opcode Fuzzy Hash: aefec44401f60c49a5288460d31846f3012a051cabca043dd429e7b944057986
Instruction Fuzzy Hash: C6027EB5500204AFEB24DFA5CE89EAE7BB9FF49310F048158F955AB294C779AD01CF60

Function 010470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0104712F
GetSysColorBrush.USER32(0000000F), ref: 01047160
GetSysColor.USER32(0000000F), ref: 0104716C
SetBkColor.GDI32(?,000000FF), ref: 01047186
SelectObject.GDI32(?,?), ref: 01047195
InflateRect.USER32(?,000000FF,000000FF), ref: 010471C0
GetSysColor.USER32(00000010), ref: 010471C8
CreateSolidBrush.GDI32(00000000), ref: 010471CF
FrameRect.USER32(?,?,00000000), ref: 010471DE
DeleteObject.GDI32(00000000), ref: 010471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01047230
FillRect.USER32(?,?,?), ref: 01047262
GetWindowLongW.USER32(?,000000F0), ref: 01047284

Part of subcall function 010473E8: GetSysColor.USER32(00000012), ref: 01047421
Part of subcall function 010473E8: SetTextColor.GDI32(?,?), ref: 01047425
Part of subcall function 010473E8: GetSysColorBrush.USER32(0000000F), ref: 0104743B
Part of subcall function 010473E8: GetSysColor.USER32(0000000F), ref: 01047446
Part of subcall function 010473E8: GetSysColor.USER32(00000011), ref: 01047463
Part of subcall function 010473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01047471
Part of subcall function 010473E8: SelectObject.GDI32(?,00000000), ref: 01047482
Part of subcall function 010473E8: SetBkColor.GDI32(?,00000000), ref: 0104748B
Part of subcall function 010473E8: SelectObject.GDI32(?,?), ref: 01047498
Part of subcall function 010473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010474B7
Part of subcall function 010473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010474CE
Part of subcall function 010473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010474DB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b3bac402bde4449fc7d94ca487e7a6f74483a917cb3163b7c9ed9c25ced97cc0
Instruction ID: b28da65a062b6ad63ea76a2bd0bd16e51b913d0469267597c7c5ca89f9f9c0d7
Opcode Fuzzy Hash: b3bac402bde4449fc7d94ca487e7a6f74483a917cb3163b7c9ed9c25ced97cc0
Instruction Fuzzy Hash: C8A1B2B6009301BFE7219F64DE88A5F7BE9FB49320F100A29FAE2961E0D735D444CB91

Function 00FC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FC8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01006AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01006AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01006F43

Part of subcall function 00FC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC8BE8,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 00FC8FC5

SendMessageW.USER32(?,00001053), ref: 01006F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01006F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01006FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01006FB7

Strings

0, xrefs: 01006DCF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ec40ef50dcfedb18bb22f091964a04790f381e869a3c59ccb634458a1349124a
Instruction ID: 9c4554b7386448957ba313087cdbe2912f7b412b1e4fe6a47d48d1ee0bacc641
Opcode Fuzzy Hash: ec40ef50dcfedb18bb22f091964a04790f381e869a3c59ccb634458a1349124a
Instruction Fuzzy Hash: B812B070505202EFE726DF18CA85BA97BE2FF45300F1444ADF5D58B292CB37A8A2DB51

Function 01032711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0103273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0103286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01032900
GetClientRect.USER32(00000000,?), ref: 0103290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01032955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01032964
GetStockObject.GDI32(00000011), ref: 01032974
SelectObject.GDI32(00000000,00000000), ref: 01032978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01032988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01032991
DeleteDC.GDI32(00000000), ref: 0103299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01032A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01032A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01032A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01032A77
GetStockObject.GDI32(00000011), ref: 01032A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01032A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01032A97

Strings

msctls_progress32, xrefs: 01032A13
DISPLAY, xrefs: 0103295A
static, xrefs: 0103294F, 01032A71
AutoIt v3, xrefs: 010328F8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 55ff01a913bd90a3b79bd37f92180ac6e379334c834f58ee56fa88d8cee36b74
Instruction ID: 48cd11d79c8aaad81508408f0ae8ca074b27f7e5b0ace4eff10c214d1cede332
Opcode Fuzzy Hash: 55ff01a913bd90a3b79bd37f92180ac6e379334c834f58ee56fa88d8cee36b74
Instruction Fuzzy Hash: 0DB18DB5A00205AFEB24DF68CD89FAE7BA9FF48710F008554FA55E7294D774E900CBA0

Function 01024ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01024AED
GetDriveTypeW.KERNEL32(?,0104CB68,?,\\.\,0104CC08), ref: 01024BCA
SetErrorMode.KERNEL32(00000000,0104CB68,?,\\.\,0104CC08), ref: 01024D36

Strings

Fibre, xrefs: 01024CAD
iSCSI, xrefs: 01024CC2
SCSI, xrefs: 01024C8A
ATA, xrefs: 01024C98
MMC, xrefs: 01024CDE
\\.\, xrefs: 01024B3F
RAID, xrefs: 01024CBB
SAS, xrefs: 01024CC9
SATA, xrefs: 01024CD0
Unknown, xrefs: 01024BED, 01024C83
Removable, xrefs: 01024C10, 01024C15
ATAPI, xrefs: 01024C91
PhysicalDrive, xrefs: 01024B76
CDROM, xrefs: 01024BFB
USB, xrefs: 01024CB4
Virtual, xrefs: 01024CE5
SSA, xrefs: 01024CA6
Fixed, xrefs: 01024C09
1394, xrefs: 01024C9F
RAMDisk, xrefs: 01024BF4
FileBackedVirtual, xrefs: 01024CEC
SSD, xrefs: 01024C4A
Network, xrefs: 01024C02

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9cfc9d1d97bbe3e46e3aeadb8f72fdfba5f7da962c64490a4b2926db91010155
Instruction ID: bad18a34a07917ca7e481d30c8cc9ce06b12fce817e9f859f33f80d67225d477
Opcode Fuzzy Hash: 9cfc9d1d97bbe3e46e3aeadb8f72fdfba5f7da962c64490a4b2926db91010155
Instruction Fuzzy Hash: 4A61C630A0451ADBDB55EF1DCA819BD7BE1AB04200B24405AF88BEB712DB76ED85CB45

Function 010473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01047421
SetTextColor.GDI32(?,?), ref: 01047425
GetSysColorBrush.USER32(0000000F), ref: 0104743B
GetSysColor.USER32(0000000F), ref: 01047446
CreateSolidBrush.GDI32(?), ref: 0104744B
GetSysColor.USER32(00000011), ref: 01047463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01047471
SelectObject.GDI32(?,00000000), ref: 01047482
SetBkColor.GDI32(?,00000000), ref: 0104748B
SelectObject.GDI32(?,?), ref: 01047498
InflateRect.USER32(?,000000FF,000000FF), ref: 010474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01047554
InflateRect.USER32(?,000000FD,000000FD), ref: 01047572
DrawFocusRect.USER32(?,?), ref: 0104757D
GetSysColor.USER32(00000011), ref: 0104758E
SetTextColor.GDI32(?,00000000), ref: 01047596
DrawTextW.USER32(?,010470F5,000000FF,?,00000000), ref: 010475A8
SelectObject.GDI32(?,?), ref: 010475BF
DeleteObject.GDI32(?), ref: 010475CA
SelectObject.GDI32(?,?), ref: 010475D0
DeleteObject.GDI32(?), ref: 010475D5
SetTextColor.GDI32(?,?), ref: 010475DB
SetBkColor.GDI32(?,?), ref: 010475E5

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ebeb390d14a30c0e928a85feccad1b4a87fa71a7992bb836af44f9fa61da5b0b
Instruction ID: 24a0412f4f5c1efd47d5acefa8e077d664d4e5ee7303c5405bffc6ba38c6d3c6
Opcode Fuzzy Hash: ebeb390d14a30c0e928a85feccad1b4a87fa71a7992bb836af44f9fa61da5b0b
Instruction Fuzzy Hash: 3661A1B6901218AFEF119FA4DD88EEE7FB9EB09320F104161FA51BB291D7759940CF90

Function 01040FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01041128
GetDesktopWindow.USER32 ref: 0104113D
GetWindowRect.USER32(00000000), ref: 01041144
GetWindowLongW.USER32(?,000000F0), ref: 01041199
DestroyWindow.USER32(?), ref: 010411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0104121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01041232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01041245
IsWindowVisible.USER32(00000000), ref: 010412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010412D0
GetWindowRect.USER32(00000000,?), ref: 010412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0104130E
GetMonitorInfoW.USER32(00000000,?), ref: 01041328
CopyRect.USER32(?,?), ref: 0104133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010413AA

Strings

tooltips_class32, xrefs: 010411E6
0, xrefs: 010410D3
(, xrefs: 0104131B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 145dbff08522e1cad3f708d7726876ff7b614dc3280b9784a4dd225dce911ee9
Instruction ID: 834e1bfb2a6a118db15e5c360d55781cba71caf9f48b24f3767011f7b7b376dc
Opcode Fuzzy Hash: 145dbff08522e1cad3f708d7726876ff7b614dc3280b9784a4dd225dce911ee9
Instruction Fuzzy Hash: FAB18DB1604341AFE754DF65C984BAABBE4FF88350F008968F9999B261C771E844CF92

Function 00FC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC8968
GetSystemMetrics.USER32(00000007), ref: 00FC8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC899B
GetSystemMetrics.USER32(00000008), ref: 00FC89A3
GetSystemMetrics.USER32(00000004), ref: 00FC89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FC89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FC89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FC8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FC8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00FC8A5A
GetStockObject.GDI32(00000011), ref: 00FC8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC8A81

Part of subcall function 00FC912D: GetCursorPos.USER32(?), ref: 00FC9141
Part of subcall function 00FC912D: ScreenToClient.USER32(00000000,?), ref: 00FC915E
Part of subcall function 00FC912D: GetAsyncKeyState.USER32(00000001), ref: 00FC9183
Part of subcall function 00FC912D: GetAsyncKeyState.USER32(00000002), ref: 00FC919D

SetTimer.USER32(00000000,00000000,00000028,00FC90FC), ref: 00FC8AA8

Strings

AutoIt v3 GUI, xrefs: 00FC8A20

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 73a24b004fcbae08ee2a8c24fbee51c0f28cff2ff0f21dacbd6ab9fdcb614f9b
Instruction ID: 817778a743a0a5ce791869a222fc5affcb1ca780becdfff28d3a8dd1781feb07
Opcode Fuzzy Hash: 73a24b004fcbae08ee2a8c24fbee51c0f28cff2ff0f21dacbd6ab9fdcb614f9b
Instruction Fuzzy Hash: 70B19375A0020AEFEB15DF68CA85FAE3BB5FB48310F004219FA95A72C4DB39D941CB50

Function 01010D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01011114
Part of subcall function 010110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011120
Part of subcall function 010110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 0101112F
Part of subcall function 010110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011136
Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01010DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01010E29
GetLengthSid.ADVAPI32(?), ref: 01010E40
GetAce.ADVAPI32(?,00000000,?), ref: 01010E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01010E96
GetLengthSid.ADVAPI32(?), ref: 01010EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01010EB5
HeapAlloc.KERNEL32(00000000), ref: 01010EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01010EDD
CopySid.ADVAPI32(00000000), ref: 01010EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01010F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01010F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01010F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010F6E
HeapFree.KERNEL32(00000000), ref: 01010F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010F7E
HeapFree.KERNEL32(00000000), ref: 01010F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010F8E
HeapFree.KERNEL32(00000000), ref: 01010F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01010FA1
HeapFree.KERNEL32(00000000), ref: 01010FA8

Part of subcall function 01011193: GetProcessHeap.KERNEL32(00000008,01010BB1,?,00000000,?,01010BB1,?), ref: 010111A1
Part of subcall function 01011193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01010BB1,?), ref: 010111A8
Part of subcall function 01011193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01010BB1,?), ref: 010111B7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3a61fb9ed5fc9545b4d5619290c839e68bb4d41a31fd28cd272c79e823f7c891
Instruction ID: 064c7c1203423fb2cc581cdf7d199a012fc6c49d5c8a69653a78f81ae9664576
Opcode Fuzzy Hash: 3a61fb9ed5fc9545b4d5619290c839e68bb4d41a31fd28cd272c79e823f7c891
Instruction Fuzzy Hash: 52718EB190120AABEB209FA5DD45FEEBBB8BF05300F044159FA99E7188D7399945CB60

Function 0103C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0104CC08,00000000,?,00000000,?,?), ref: 0103C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0103C5A4
_wcslen.LIBCMT ref: 0103C5F4
_wcslen.LIBCMT ref: 0103C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0103C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0103C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0103C84D
RegCloseKey.ADVAPI32(?), ref: 0103C881
RegCloseKey.ADVAPI32(00000000), ref: 0103C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0103C960

Strings

REG_MULTI_SZ, xrefs: 0103C6F5
REG_BINARY, xrefs: 0103C913
REG_EXPAND_SZ, xrefs: 0103C5CD
REG_DWORD, xrefs: 0103C804
REG_SZ, xrefs: 0103C644
REG_QWORD, xrefs: 0103C8C3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b714c552eb9e522b599cfd70c05c36f0d17684385183581dc8793531021da3c5
Instruction ID: 1d9f2ba5476e91c3473a98e3a5631da5325cb2826f06f1693db312dd1b0211fb
Opcode Fuzzy Hash: b714c552eb9e522b599cfd70c05c36f0d17684385183581dc8793531021da3c5
Instruction Fuzzy Hash: B8129D352042019FE714DF15C981A6AB7E5FF88314F08889DF88A9B3A2DB35ED41DB91

Function 0104091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010409C6
_wcslen.LIBCMT ref: 01040A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01040A54
_wcslen.LIBCMT ref: 01040A8A
_wcslen.LIBCMT ref: 01040B06
_wcslen.LIBCMT ref: 01040B81

Part of subcall function 00FCF9F2: _wcslen.LIBCMT ref: 00FCF9FD

Part of subcall function 01012BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01012BFA

Strings

GETITEMCOUNT, xrefs: 01040C1E
CHECK, xrefs: 01040A85, 01040AA0
SELECT, xrefs: 01040D11
EXPAND, xrefs: 01040BF8
GETSELECTED, xrefs: 01040C4E
UNCHECK, xrefs: 01040D3E
GETTOTALCOUNT, xrefs: 010409F2, 01040A17
EXISTS, xrefs: 01040B7C, 01040B97
COLLAPSE, xrefs: 01040B01, 01040B1C
GETTEXT, xrefs: 01040C97
ISCHECKED, xrefs: 01040CE1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1bc875cd8d9bcc4176d3afa9f212057acfdf09164f9c30a79db41f665bf25a38
Instruction ID: c2f18390bf77bf6a20c2500dc6508136719aa3580f18d336db57655ef950cc43
Opcode Fuzzy Hash: 1bc875cd8d9bcc4176d3afa9f212057acfdf09164f9c30a79db41f665bf25a38
Instruction Fuzzy Hash: 0AE1A0752083018FC714EF29C8909AEB7E1BF88354B0489ADF9D6AB366D735ED45CB81

Function 0103C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
_wcslen.LIBCMT ref: 0103C9F1
_wcslen.LIBCMT ref: 0103CA68
_wcslen.LIBCMT ref: 0103CA9E
_wcslen.LIBCMT ref: 0103CAF9
_wcslen.LIBCMT ref: 0103CB2F
_wcslen.LIBCMT ref: 0103CB7F

Strings

HKLM, xrefs: 0103CA98, 0103CA9D
HKCR, xrefs: 0103CB29, 0103CB2E
HKEY_CURRENT_CONFIG, xrefs: 0103CB79, 0103CB7E
HKEY_CURRENT_USER, xrefs: 0103CBBD
HKU, xrefs: 0103CBF0
HKEY_USERS, xrefs: 0103CBDF
HKCU, xrefs: 0103CBCE
HKCC, xrefs: 0103CBAC
HKEY_LOCAL_MACHINE, xrefs: 0103CA62, 0103CA67
HKEY_CLASSES_ROOT, xrefs: 0103CAF3, 0103CAF8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ccb0398b03bd8f699c12bd887018aed7a65a93f82bc45fbc57e1262dc5cca5c2
Instruction ID: abb7730dcf61cb7faf0b9e49bb08f61defc1c869a0e5702ac75ef0c1488f8a6d
Opcode Fuzzy Hash: ccb0398b03bd8f699c12bd887018aed7a65a93f82bc45fbc57e1262dc5cca5c2
Instruction Fuzzy Hash: 8E712632A0052A8BEB21DE3CCE515BE33D9AFD0694F15055AF8D2F7286E635CD46D3A0

Function 0104833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0104835A
_wcslen.LIBCMT ref: 0104836E
_wcslen.LIBCMT ref: 01048391
_wcslen.LIBCMT ref: 010483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0104361A,?), ref: 0104844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01048487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01048501
FreeLibrary.KERNEL32(?), ref: 0104850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0104851D
DestroyIcon.USER32(?), ref: 0104852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01048549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01048555

Strings

.icl, xrefs: 01048368
.dll, xrefs: 010483AB
.exe, xrefs: 01048388

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 944b5b08399b7ef7eee41967af3fe388b9fad84d5a25b8fbae69b18cd54975ef
Instruction ID: d056396e30106776f8a75604908a11c3c17537e9ec230d124a8605a5c87b3850
Opcode Fuzzy Hash: 944b5b08399b7ef7eee41967af3fe388b9fad84d5a25b8fbae69b18cd54975ef
Instruction Fuzzy Hash: 356126B1900204BFEB24CFA4CDC1BBE77A8BF04711F00895AF995D61C1DB79A980DBA0

Function 00FB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 00FB77D3
#comments-end, xrefs: 00FB78D9
", xrefs: 00FF5153
Bad directive syntax error, xrefs: 00FF519A
#ce, xrefs: 00FB78ED
#include-once, xrefs: 00FB782F
#cs, xrefs: 00FB7873, 00FB78C5
#comments-start, xrefs: 00FB785F, 00FB78B1
Unterminated group of comments, xrefs: 00FF528C
#OnAutoItStartRegister, xrefs: 00FB7817
Cannot parse #include, xrefs: 00FF5279
#include, xrefs: 00FB7847
#requireadmin, xrefs: 00FB77FF
', xrefs: 00FF5169
#notrayicon, xrefs: 00FB77E7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 97266a3d96c0c929513936b47f4f22670d3a82c7c3215d1e5dd44ebb92522a75
Instruction ID: 923af481db5930e64d7bbd155a29cfb2040c028c8dc6cb51c28513675a97bf9f
Opcode Fuzzy Hash: 97266a3d96c0c929513936b47f4f22670d3a82c7c3215d1e5dd44ebb92522a75
Instruction Fuzzy Hash: 228118B1A04709BBDB20BF62CC42FFE77A5AF55700F144025FA05AA192EB74D911FB91

Function 01023E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 01023EF8
_wcslen.LIBCMT ref: 01023F03
_wcslen.LIBCMT ref: 01023F5A
_wcslen.LIBCMT ref: 01023F98
GetDriveTypeW.KERNEL32(?), ref: 01023FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01024059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01024087

Strings

wait, xrefs: 01024044
close, xrefs: 01023EFE, 01023F18
close cd wait, xrefs: 01024072
open , xrefs: 01023FE5
type cdaudio alias cd wait, xrefs: 01024001
closed, xrefs: 01023F08, 01023F2D, 01023F46, 01023F7E, 01023F97
open, xrefs: 01023F54, 01023F59
set cd door , xrefs: 01024028

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 142ceddbb0ef7e8c9f152a59eb18da456fd2c837ebda643b219f5ce91a80e164
Instruction ID: 905e8c4a786106b2965d6c118e1d74264bf4836feae10437b21c6c6a17740a6b
Opcode Fuzzy Hash: 142ceddbb0ef7e8c9f152a59eb18da456fd2c837ebda643b219f5ce91a80e164
Instruction Fuzzy Hash: 8671E071A042119FD350EF29C8808AAB7F4FF88754F00496DF8D69B252EB39ED49CB91

Function 01015A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01015A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01015A40
SetWindowTextW.USER32(?,?), ref: 01015A57
GetDlgItem.USER32(?,000003EA), ref: 01015A6C
SetWindowTextW.USER32(00000000,?), ref: 01015A72
GetDlgItem.USER32(?,000003E9), ref: 01015A82
SetWindowTextW.USER32(00000000,?), ref: 01015A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01015AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01015AC3
GetWindowRect.USER32(?,?), ref: 01015ACC
_wcslen.LIBCMT ref: 01015B33
SetWindowTextW.USER32(?,?), ref: 01015B6F
GetDesktopWindow.USER32 ref: 01015B75
GetWindowRect.USER32(00000000), ref: 01015B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01015BD3
GetClientRect.USER32(?,?), ref: 01015BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01015C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01015C2F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 89d914ecc9f0c55888be6f3247fd1c93b10216dcdfcdcfe88d64eb8c89118adf
Instruction ID: 6e6f5d4c0a09f237421ad572a5fabe5dbe847e77acc62d5c98e4101fd6ad29e3
Opcode Fuzzy Hash: 89d914ecc9f0c55888be6f3247fd1c93b10216dcdfcdcfe88d64eb8c89118adf
Instruction Fuzzy Hash: 41717C71900709AFEB20DFA8CE85AAEBBF5FF88704F104958E582A7594D779E940CF50

Function 0102FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0102FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0102FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0102FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0102FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0102FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0102FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0102FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0102FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0102FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0102FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0102FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0102FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0102FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0102FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0102FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0102FECC
GetCursorInfo.USER32(?), ref: 0102FEDC
GetLastError.KERNEL32 ref: 0102FF1E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 420be01be405eab2fd04e63ec5996eef453137538ffe96d590d538387fa1579c
Instruction ID: a72a705c1cbde5863a1443df0de8aef8140851d00756fba46b439bceeec13c3b
Opcode Fuzzy Hash: 420be01be405eab2fd04e63ec5996eef453137538ffe96d590d538387fa1579c
Instruction Fuzzy Hash: 614160B0D0431AAADB509FBA8C89C5EBFF8BF04354B50456AE15DE7281DB78A5018F90

Function 00FD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FD00C6

Part of subcall function 00FD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0108070C,00000FA0,4D0A5834,?,?,?,?,00FF23B3,000000FF), ref: 00FD011C
Part of subcall function 00FD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FF23B3,000000FF), ref: 00FD0127
Part of subcall function 00FD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FF23B3,000000FF), ref: 00FD0138
Part of subcall function 00FD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FD014E
Part of subcall function 00FD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FD015C
Part of subcall function 00FD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FD016A
Part of subcall function 00FD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FD0195
Part of subcall function 00FD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FD01A0

___scrt_fastfail.LIBCMT ref: 00FD00E7

Part of subcall function 00FD00A3: __onexit.LIBCMT ref: 00FD00A9

Strings

kernel32.dll, xrefs: 00FD0133
SleepConditionVariableCS, xrefs: 00FD0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FD0122
WakeAllConditionVariable, xrefs: 00FD0162
InitializeConditionVariable, xrefs: 00FD0148

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ca32bff215e006c03162dd4f2890d317b80392504f70edf3281629bf9ac310ac
Instruction ID: 4003dd124960342809d289a81138e6d6c6b073495ebfcf6bf00558d84cf42b96
Opcode Fuzzy Hash: ca32bff215e006c03162dd4f2890d317b80392504f70edf3281629bf9ac310ac
Instruction Fuzzy Hash: C1210AB2E457116BE7207B65AE46B6D7396EB05B61F04013FF8C196344DE798C009B90

Function 010130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101318D
_wcslen.LIBCMT ref: 010131F8

Strings

REGEXPCLASS, xrefs: 01013255, 01013266
CLASSNN, xrefs: 010131F3, 01013204
NAME, xrefs: 01013335, 01013346
CLASS, xrefs: 01013188, 010131A5
TEXT, xrefs: 0101347C
INSTANCE, xrefs: 01013453

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 8ab1d09c43c97edd7421e581d4366c7c542dffcc632b95282a69947fbfbe2146
Instruction ID: 88ac7a533297c9eeed562417c2a635ccba393f96ee726678ec8b67bc2f7b9c86
Opcode Fuzzy Hash: 8ab1d09c43c97edd7421e581d4366c7c542dffcc632b95282a69947fbfbe2146
Instruction Fuzzy Hash: 46E10332A001169BDB199FA8C841BFEFBB5BF04720F14815AE496EB244DF38A945DB90

Function 010244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0104CC08), ref: 01024527
_wcslen.LIBCMT ref: 0102453B
_wcslen.LIBCMT ref: 01024599
_wcslen.LIBCMT ref: 010245F4
_wcslen.LIBCMT ref: 0102463F
_wcslen.LIBCMT ref: 010246A7

Part of subcall function 00FCF9F2: _wcslen.LIBCMT ref: 00FCF9FD

GetDriveTypeW.KERNEL32(?,01076BF0,00000061), ref: 01024743

Strings

all, xrefs: 01024531, 01024536
removable, xrefs: 010245EA, 010245EF
unknown, xrefs: 01024708
ramdisk, xrefs: 010246F1
fixed, xrefs: 01024635, 0102463A
cdrom, xrefs: 0102458F, 01024594
network, xrefs: 0102469D, 010246A2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5d06df456909e2789a30a75583f487f0bd82c832f8b30ea277faa80f92b82c51
Instruction ID: 13f53743fbf4dd83bea2062eb0792287fb5b29f3210a1d075aed1e93228d345f
Opcode Fuzzy Hash: 5d06df456909e2789a30a75583f487f0bd82c832f8b30ea277faa80f92b82c51
Instruction Fuzzy Hash: 07B1EE716083229BC720DF29C890A6EB7E5BF99720F40495DF5E6C7292D774D884CAA2

Function 0103AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103B1D4
_wcslen.LIBCMT ref: 0103B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103B236
_wcslen.LIBCMT ref: 0103B332

Part of subcall function 010205A7: GetStdHandle.KERNEL32(000000F6), ref: 010205C6

_wcslen.LIBCMT ref: 0103B34B
_wcslen.LIBCMT ref: 0103B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103B3B6
GetLastError.KERNEL32(00000000), ref: 0103B407
CloseHandle.KERNEL32(?), ref: 0103B439
CloseHandle.KERNEL32(00000000), ref: 0103B44A
CloseHandle.KERNEL32(00000000), ref: 0103B45C
CloseHandle.KERNEL32(00000000), ref: 0103B46E
CloseHandle.KERNEL32(?), ref: 0103B4E3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1a0ebab06542138fd250ba01a779e4a20fc60cb4d3aae14cc9853507fc46e5c9
Instruction ID: e993674fb87aca36835344704f9b58eb36de894d020dfa1cad1d997067fe3e49
Opcode Fuzzy Hash: 1a0ebab06542138fd250ba01a779e4a20fc60cb4d3aae14cc9853507fc46e5c9
Instruction Fuzzy Hash: 04F1AE716083009FD724EF29C891B6EBBE9AFC5314F18855DF9958B2A6CB35E804CB52

Function 01033FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0104CC08), ref: 010340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0104CC08), ref: 010340F2
FreeLibrary.KERNEL32(00000000,?,0104CC08), ref: 0103413E
StringFromGUID2.OLE32(?,?,00000028,?,0104CC08), ref: 010341A8
SysFreeString.OLEAUT32(00000009), ref: 01034262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010342C8
SysFreeString.OLEAUT32(?), ref: 010342F2

Strings

kernel32.dll, xrefs: 010340B6
GetModuleHandleExW, xrefs: 010340C7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 6154e8b32c74ee0a0b582d07a7acc29316e581ab24443680b6e0c045cf4b47ee
Instruction ID: 688844532894215188668280788a6d498e812a36324b93722d47ca3f0d5672f6
Opcode Fuzzy Hash: 6154e8b32c74ee0a0b582d07a7acc29316e581ab24443680b6e0c045cf4b47ee
Instruction Fuzzy Hash: DF122775A00105AFDB55CF98C984EAEBBB9FF85314F148098E945EF252CB31ED46CBA0

Function 00FB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01081990), ref: 00FF2F8D
GetMenuItemCount.USER32(01081990), ref: 00FF303D
GetCursorPos.USER32(?), ref: 00FF3081
SetForegroundWindow.USER32(00000000), ref: 00FF308A
TrackPopupMenuEx.USER32(01081990,00000000,?,00000000,00000000,00000000), ref: 00FF309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FF30A9

Strings

0, xrefs: 00FB327D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 54800178788272d8743a3c38b67008bab6b2303da719dcf01ec941dcdd9a236e
Instruction ID: c30af7410b77cd70149d509aabcfb45e43655643bc4695a8f54e0692742fde6a
Opcode Fuzzy Hash: 54800178788272d8743a3c38b67008bab6b2303da719dcf01ec941dcdd9a236e
Instruction Fuzzy Hash: D271F771A40209BFFB218F65CD89FAABF64FF04324F204216F6156A1E0C7B5A950EB91

Function 01046CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01046DEB

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01046E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01046E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01046E94
DestroyWindow.USER32(?), ref: 01046EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FB0000,00000000), ref: 01046EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01046EFD
GetDesktopWindow.USER32 ref: 01046F16
GetWindowRect.USER32(00000000), ref: 01046F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01046F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01046F4D

Part of subcall function 00FC9944: GetWindowLongW.USER32(?,000000EB), ref: 00FC9952

Strings

0, xrefs: 01046D98
tooltips_class32, xrefs: 01046E58, 01046EDD

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: bbb0b50e1f632782455bcc8e91b9e1bb59b94634b6d4f0c489de79130f295bae
Instruction ID: dd479b368f5b0bdd0567b66aa81fc06395649c9fb3aa8a92a5268f62b5e15d70
Opcode Fuzzy Hash: bbb0b50e1f632782455bcc8e91b9e1bb59b94634b6d4f0c489de79130f295bae
Instruction Fuzzy Hash: 1D717BB4104340AFEB21CF1DC984EAABBF9FB8A300F44446DF9D987261D776A906CB11

Function 0104911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

DragQueryPoint.SHELL32(?,?), ref: 01049147

Part of subcall function 01047674: ClientToScreen.USER32(?,?), ref: 0104769A
Part of subcall function 01047674: GetWindowRect.USER32(?,?), ref: 01047710
Part of subcall function 01047674: PtInRect.USER32(?,?,01048B89), ref: 01047720

SendMessageW.USER32(?,000000B0,?,?), ref: 010491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01049225
SendMessageW.USER32(?,000000B0,?,?), ref: 0104923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01049255
SendMessageW.USER32(?,000000B1,?,?), ref: 01049277
DragFinish.SHELL32(?), ref: 0104927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01049371

Strings

@GUI_DROPID, xrefs: 0104929E
@GUI_DRAGID, xrefs: 010492E9
@GUI_DRAGFILE, xrefs: 01049320

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5a2af7603c86ab4f756e5f25331638754f5ce1c31b48d651989cfdc73a2e47c0
Instruction ID: ae2253eb6521e038e8b83200ec85c573cbeb3966af9fc62f12942e7770802f71
Opcode Fuzzy Hash: 5a2af7603c86ab4f756e5f25331638754f5ce1c31b48d651989cfdc73a2e47c0
Instruction Fuzzy Hash: 84618AB1108301AFD311EF61DD85DAFBBE8EF88350F00092DF591931A0DB759A49CB52

Function 0102C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0102C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0102C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0102C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0102C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0102C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0102C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0102C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0102C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0102C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0102C5F0
InternetCloseHandle.WININET(00000000), ref: 0102C5FB

Strings

, xrefs: 0102C575

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 012cd350f03d708f68900f2c6f273ff4812f5df9624e5cf7d7806dc948b381dc
Instruction ID: 5885097def1df09894162358b9658b889fe87ac5b5a28770c298a016f4f7d28d
Opcode Fuzzy Hash: 012cd350f03d708f68900f2c6f273ff4812f5df9624e5cf7d7806dc948b381dc
Instruction Fuzzy Hash: 05515BB4501629BFFB218F64CB88AAF7BFCFF08744F004419F98696200DB39D9449B60

Function 0104856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 01048592
GetFileSize.KERNEL32(00000000,00000000), ref: 010485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 010485AD
CloseHandle.KERNEL32(00000000), ref: 010485BA
GlobalLock.KERNEL32(00000000), ref: 010485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 010485D7
GlobalUnlock.KERNEL32(00000000), ref: 010485E0
CloseHandle.KERNEL32(00000000), ref: 010485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 010485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0104FC38,?), ref: 01048611
GlobalFree.KERNEL32(00000000), ref: 01048621
GetObjectW.GDI32(?,00000018,000000FF), ref: 01048641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01048671
DeleteObject.GDI32(00000000), ref: 01048699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010486AF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 17ccb7cb7495f71ef0177053ca538e0abb4b2e8c270cf10943bbcfc42efb0864
Instruction ID: 665535d358d681a449629988a202187071508a0efedd70e84b77574a22e76ba5
Opcode Fuzzy Hash: 17ccb7cb7495f71ef0177053ca538e0abb4b2e8c270cf10943bbcfc42efb0864
Instruction Fuzzy Hash: D14151B5601204BFE721DFA9CE88EAE7BB8FF89711F008469F949E7250D7759901CB60

Function 010214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01021502
VariantCopy.OLEAUT32(?,?), ref: 0102150B
VariantClear.OLEAUT32(?), ref: 01021517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010215FB
VarR8FromDec.OLEAUT32(?,?), ref: 01021657
VariantInit.OLEAUT32(?), ref: 01021708
SysFreeString.OLEAUT32(?), ref: 0102178C
VariantClear.OLEAUT32(?), ref: 010217D8
VariantClear.OLEAUT32(?), ref: 010217E7
VariantInit.OLEAUT32(00000000), ref: 01021823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01021625
Default, xrefs: 010216AF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 433f020d1583fa53dc2bfe8884486a64463dd9119266d803d4945df0c44138ff
Instruction ID: f0b9a11fc2477efdb80679a070d03574731df128d0075117eb83fa9d5a23c5fa
Opcode Fuzzy Hash: 433f020d1583fa53dc2bfe8884486a64463dd9119266d803d4945df0c44138ff
Instruction Fuzzy Hash: CDD11571A00235DBEB149F65D985BBDBBF5BF04700F0880DAF596AB180DB38E845DBA1

Function 0103B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0103B80A
RegCloseKey.ADVAPI32(?), ref: 0103B87E
RegCloseKey.ADVAPI32(?), ref: 0103B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0103B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0103B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0103B922
FreeLibrary.KERNEL32(00000000), ref: 0103B983
RegCloseKey.ADVAPI32(00000000), ref: 0103B994

Strings

RegDeleteKeyExW, xrefs: 0103B8FE
advapi32.dll, xrefs: 0103B8ED

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 098f2ecd193aa41fde3e5892c32bc8e8347b51f7542a9939b8dced9f497501e8
Instruction ID: 3cf8cec51e34568a2c64647fd6a5d5f7743616e03835d620d5edd8d08c64fb38
Opcode Fuzzy Hash: 098f2ecd193aa41fde3e5892c32bc8e8347b51f7542a9939b8dced9f497501e8
Instruction Fuzzy Hash: 91C1AF34204201AFE720DF19C895F6ABBE5FF85308F18849DF59A8B292CB75E845CF91

Function 0103255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010325E8
CreateCompatibleDC.GDI32(?), ref: 010325F4
SelectObject.GDI32(00000000,?), ref: 01032601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0103266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010326D0
SelectObject.GDI32(?,?), ref: 010326D8
DeleteObject.GDI32(?), ref: 010326E1
DeleteDC.GDI32(?), ref: 010326E8
ReleaseDC.USER32(00000000,?), ref: 010326F3

Strings

(, xrefs: 0103268D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 49c611b2117fdd5d5fb6989e23de8b7dc46ccd4b68776291e484cf7def4985e7
Instruction ID: 81b8627f643561efed6c499d07a028b66fe24966f8cf57d4fccf47814520ae51
Opcode Fuzzy Hash: 49c611b2117fdd5d5fb6989e23de8b7dc46ccd4b68776291e484cf7def4985e7
Instruction Fuzzy Hash: 9C6113B5D00219EFDF15CFA4C984AAEBBB9FF48310F208529E995A7250D775A940CF50

Function 00FEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FEDAA1

Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED659
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED66B
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED67D
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED68F
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6A1
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6B3
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6C5
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6D7
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6E9
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6FB
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED70D
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED71F
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED731

_free.LIBCMT ref: 00FEDA96

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FEDAB8
_free.LIBCMT ref: 00FEDACD
_free.LIBCMT ref: 00FEDAD8
_free.LIBCMT ref: 00FEDAFA
_free.LIBCMT ref: 00FEDB0D
_free.LIBCMT ref: 00FEDB1B
_free.LIBCMT ref: 00FEDB26
_free.LIBCMT ref: 00FEDB5E
_free.LIBCMT ref: 00FEDB65
_free.LIBCMT ref: 00FEDB82
_free.LIBCMT ref: 00FEDB9A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4973bf0b097167acb3c3e063f432836509675b663a4bbe9793e3f268e849a77
Instruction ID: 90c73366e794c1a2fd6da5dc857c3eed12fdfed3c76830ca41cc49df1f2d23b2
Opcode Fuzzy Hash: b4973bf0b097167acb3c3e063f432836509675b663a4bbe9793e3f268e849a77
Instruction Fuzzy Hash: 06319F31A043899FEB61AA3AEC42B5A77E8FF40320F114429E058D7592EF39ED40F721

Function 0101365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0101369C
_wcslen.LIBCMT ref: 010136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01013797
GetClassNameW.USER32(?,?,00000400), ref: 0101380C
GetDlgCtrlID.USER32(?), ref: 0101385D
GetWindowRect.USER32(?,?), ref: 01013882
GetParent.USER32(?), ref: 010138A0
ScreenToClient.USER32(00000000), ref: 010138A7
GetClassNameW.USER32(?,?,00000100), ref: 01013921
GetWindowTextW.USER32(?,?,00000400), ref: 0101395D

Strings

%s%u, xrefs: 01013734

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 58886ca7454d353f7389b726557579bff9a1a0f13658fa0be11e48d736d1e880
Instruction ID: 4c8188c995d83e03ec1b814bab1f14f32a656333890f7330b7e42a2e7afbfa59
Opcode Fuzzy Hash: 58886ca7454d353f7389b726557579bff9a1a0f13658fa0be11e48d736d1e880
Instruction Fuzzy Hash: 6491B171204206AFE719DF28C884BEAF7E9FF44360F008529FAD9D6184DB38A545CB91

Function 01014954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01014994
GetWindowTextW.USER32(?,?,00000400), ref: 010149DA
_wcslen.LIBCMT ref: 010149EB
CharUpperBuffW.USER32(?,00000000), ref: 010149F7
_wcsstr.LIBVCRUNTIME ref: 01014A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01014A64
GetWindowTextW.USER32(?,?,00000400), ref: 01014A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01014AE6
GetClassNameW.USER32(?,?,00000400), ref: 01014B20
GetWindowRect.USER32(?,?), ref: 01014B8B

Strings

ThumbnailClass, xrefs: 01014A6F, 01014AF1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 1874555517b125b83d9fd9e82b79cac39cdaf8f3ee7f6857bbe3acc07a38adef
Instruction ID: d08d1b6c3b7c9335ac261174cd3f325abfd0e266c89c57fac04e51c0bc067ac8
Opcode Fuzzy Hash: 1874555517b125b83d9fd9e82b79cac39cdaf8f3ee7f6857bbe3acc07a38adef
Instruction Fuzzy Hash: 2391B2710042059FEB15DF18C984BAA7BE9FF44314F0484A9FEC5DA1AADB38E945CBA1

Function 0101BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01081990,000000FF,00000000,00000030), ref: 0101BFAC
SetMenuItemInfoW.USER32(01081990,00000004,00000000,00000030), ref: 0101BFE1
Sleep.KERNEL32(000001F4), ref: 0101BFF3
GetMenuItemCount.USER32(?), ref: 0101C039
GetMenuItemID.USER32(?,00000000), ref: 0101C056
GetMenuItemID.USER32(?,-00000001), ref: 0101C082
GetMenuItemID.USER32(?,?), ref: 0101C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0101C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0101C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0101C145

Strings

0, xrefs: 0101BF3D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 3f90d3e42ff244910868f92f958ffb8731a9d74cf9cfd998efda57690f2f8fa7
Instruction ID: 405788cbb811c02dd9661faf74d3ca315d6810072feaba64ff389feb48f79115
Opcode Fuzzy Hash: 3f90d3e42ff244910868f92f958ffb8731a9d74cf9cfd998efda57690f2f8fa7
Instruction Fuzzy Hash: 066184B0940246AFFF21CF68CA88AEE7FB4FB46344F044155F991A3245C739E945CB60

Function 0103CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0103CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0103CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0103CD48

Part of subcall function 0103CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0103CCAA
Part of subcall function 0103CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0103CCBD
Part of subcall function 0103CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0103CCCF
Part of subcall function 0103CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0103CD05
Part of subcall function 0103CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0103CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0103CCF3

Strings

RegDeleteKeyExW, xrefs: 0103CCC9
advapi32.dll, xrefs: 0103CCB8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 38fc5f615258d1eb852bbb363066371d299e778db7fd842e29edaf6154670a60
Instruction ID: 060f28e66b44d27fc37b070ac37edd57ed40b400f54076f62488ccfc42254b21
Opcode Fuzzy Hash: 38fc5f615258d1eb852bbb363066371d299e778db7fd842e29edaf6154670a60
Instruction Fuzzy Hash: 813182B5902129BBF7319A55DE88EFFBFBCEF46640F000166F981E2104DA349A45DBA0

Function 01023D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01023D40
_wcslen.LIBCMT ref: 01023D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01023D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01023DBE
RemoveDirectoryW.KERNEL32(?), ref: 01023DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01023E55
CloseHandle.KERNEL32(00000000), ref: 01023E60
CloseHandle.KERNEL32(00000000), ref: 01023E6B

Strings

\, xrefs: 01023D77
\??\%s, xrefs: 01023D5B
:, xrefs: 01023D82

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 5675cdd8f49108b7ea4f6927b9acfbea62852f8dfc2f095afd5d94758c7ef34a
Instruction ID: d39aca26f33015cf4123b197490a038a9052862d53daf4a3d6abcad91b84c09a
Opcode Fuzzy Hash: 5675cdd8f49108b7ea4f6927b9acfbea62852f8dfc2f095afd5d94758c7ef34a
Instruction Fuzzy Hash: BA31D6B6A00119ABEB219BA4DD85FEF37BDFF88700F1040B5F649D6154E77892448B24

Function 0101E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0101E6B4

Part of subcall function 00FCE551: timeGetTime.WINMM(?,?,0101E6D4), ref: 00FCE555

Sleep.KERNEL32(0000000A), ref: 0101E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0101E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0101E727
SetActiveWindow.USER32 ref: 0101E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0101E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0101E773
Sleep.KERNEL32(000000FA), ref: 0101E77E
IsWindow.USER32 ref: 0101E78A
EndDialog.USER32(00000000), ref: 0101E79B

Strings

BUTTON, xrefs: 0101E719

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 20ac09bf909059a9f895da78a0a079f1c91c4e51a717cf3cae03fd56d4402c6d
Instruction ID: c09d88374141d1a6abcff21b339036f933603da3feded4289777ce888040d35b
Opcode Fuzzy Hash: 20ac09bf909059a9f895da78a0a079f1c91c4e51a717cf3cae03fd56d4402c6d
Instruction Fuzzy Hash: 382162B5205205AFFB225F64EEC9A2D3BA9FB49788B444424F9C18215DDB7FAC20CB54

Function 0101E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0101EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0101EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0101EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0101EAA7

Strings

play PlayMe wait, xrefs: 0101EA91
alias PlayMe, xrefs: 0101EA36
status PlayMe mode, xrefs: 0101EA58
play PlayMe, xrefs: 0101EAA2
open , xrefs: 0101EA0C
close PlayMe, xrefs: 0101EA6E, 0101EA9B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a678142a2f4231faac82d269b22492fb537f0838aaf23eb109aa9ccfaf5889da
Instruction ID: 6767a29330fd9ead0b54abb2502d828e945b6a6b000e608ea55fb31d5086e04c
Opcode Fuzzy Hash: a678142a2f4231faac82d269b22492fb537f0838aaf23eb109aa9ccfaf5889da
Instruction Fuzzy Hash: 5111E331A8026979E720A3A7DC4ADFF7EBCEBC1F00F440429B842A6081EEA51905C9B0

Function 01019F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0101A012
SetKeyboardState.USER32(?), ref: 0101A07D
GetAsyncKeyState.USER32(000000A0), ref: 0101A09D
GetKeyState.USER32(000000A0), ref: 0101A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0101A0E3
GetKeyState.USER32(000000A1), ref: 0101A0F4
GetAsyncKeyState.USER32(00000011), ref: 0101A120
GetKeyState.USER32(00000011), ref: 0101A12E
GetAsyncKeyState.USER32(00000012), ref: 0101A157
GetKeyState.USER32(00000012), ref: 0101A165
GetAsyncKeyState.USER32(0000005B), ref: 0101A18E
GetKeyState.USER32(0000005B), ref: 0101A19C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: bab3a6c199056566eedfb8115d8f6e67b36dd9e1d4099718e4e2277f87eda571
Instruction ID: fd3eaa2535e5730d019f2a1f7a73bcafc7878940b75b885ed367bbdf9494a612
Opcode Fuzzy Hash: bab3a6c199056566eedfb8115d8f6e67b36dd9e1d4099718e4e2277f87eda571
Instruction Fuzzy Hash: 5451F670A057C86AFB76EBA48510BEABFF49F02284F0885CDD6C2571C6DA5CA64CC761

Function 01015CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01015CE2
GetWindowRect.USER32(00000000,?), ref: 01015CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01015D59
GetDlgItem.USER32(?,00000002), ref: 01015D69
GetWindowRect.USER32(00000000,?), ref: 01015D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01015DCF
GetDlgItem.USER32(?,000003E9), ref: 01015DDD
GetWindowRect.USER32(00000000,?), ref: 01015DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01015E31
GetDlgItem.USER32(?,000003EA), ref: 01015E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01015E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01015E67

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6a8395f211012ff490f901d4a3970e94226c34a6adf3f03c293142b7b1fcec4c
Instruction ID: f5fcf6b151477c091a3b9a05449170bd26e9c7c6364389e2f53e6e227d6b3fab
Opcode Fuzzy Hash: 6a8395f211012ff490f901d4a3970e94226c34a6adf3f03c293142b7b1fcec4c
Instruction Fuzzy Hash: 55511CB4B00205AFDB18DF68CE89AAEBBF5FB89300F508169F955E7294D775AD00CB50

Function 00FC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC8BE8,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 00FC8FC5

DestroyWindow.USER32(?), ref: 00FC8C81
KillTimer.USER32(00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 00FC8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01006973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 010069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 010069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FC8BBA,00000000), ref: 010069D4
DeleteObject.GDI32(00000000), ref: 010069E6

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7ab3213d8a16c64b5c8f604fc3c34f538bfe73bd30b8415fcb112ee62cc265fa
Instruction ID: f168de3497e9d3d258fc2dbc652c589944f3122488471a0bf1f0654e457e3ca2
Opcode Fuzzy Hash: 7ab3213d8a16c64b5c8f604fc3c34f538bfe73bd30b8415fcb112ee62cc265fa
Instruction Fuzzy Hash: EC618931506602DFEB36DF18DB4AB6977F2FF41352F14455CE0C286994CB3AA892EB90

Function 00FC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9944: GetWindowLongW.USER32(?,000000EB), ref: 00FC9952

GetSysColor.USER32(0000000F), ref: 00FC9862

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 61a826c2e93bb0fcd80412a77e8d8d275921c2e663f3a8fb017f6696efa52286
Instruction ID: 749bdb73eb1802dca3f6f05c13c2812a74dc0d172a0024b028670b36942aa436
Opcode Fuzzy Hash: 61a826c2e93bb0fcd80412a77e8d8d275921c2e663f3a8fb017f6696efa52286
Instruction Fuzzy Hash: BC413531504640AFEB314F389A89FB93BA5FB07331F544249FAE2871E1C7B69842EB10

Function 010196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01019717
LoadStringW.USER32(00000000,?,00FFF7F8,00000001), ref: 01019720

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01019742
LoadStringW.USER32(00000000,?,00FFF7F8,00000001), ref: 01019745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01019866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0101984A
Line %d (File "%s"):, xrefs: 0101978F
Error: , xrefs: 0101981D
^ ERROR, xrefs: 010197FB
Line %d:, xrefs: 010197A0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1633a8ef1b0a2db5fa02c88fa8360ea512586f23034fa3a2d6c0422339a5fc78
Instruction ID: d8b8e26d54bbc0402b87c42ddc18c42487c59a4eade9d7fdf12734ab0c4225ed
Opcode Fuzzy Hash: 1633a8ef1b0a2db5fa02c88fa8360ea512586f23034fa3a2d6c0422339a5fc78
Instruction Fuzzy Hash: 1B418E7280420AABDB04EBE1CE92DEEB779AF14304F540025F60172096EB796F48DF60

Function 010106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01010804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0101082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01010837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0101083C

Strings

\CLSID, xrefs: 01010724
SOFTWARE\Classes\, xrefs: 0101070E
\IPC$, xrefs: 01010784

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 79d383d82d86e687c17f52f18570dffeb38b0d85371a308565fbf2c56d928e93
Instruction ID: 9eafbc7cb1b762f5424b174b7f1a98048391dadef0171a6f0bfefeafdb16ae05
Opcode Fuzzy Hash: 79d383d82d86e687c17f52f18570dffeb38b0d85371a308565fbf2c56d928e93
Instruction Fuzzy Hash: 20414672C00228ABDF21EBA5DC85CEEB7B8BF04340B444169F981A7155EB399A44DFA0

Function 01043F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0104403B
CreateCompatibleDC.GDI32(00000000), ref: 01044042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01044055
SelectObject.GDI32(00000000,00000000), ref: 0104405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01044068
DeleteDC.GDI32(00000000), ref: 01044072
GetWindowLongW.USER32(?,000000EC), ref: 0104407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01044092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0104409E

Strings

static, xrefs: 01043FD3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3d4ec5ea20c497022f8582e2cb85fc42270da2d5a58874625bf1fb66982ce08e
Instruction ID: 70bb3ff37b65e95b5448aafa8ef4b07bf34f00d22258551019d97bed79ae718d
Opcode Fuzzy Hash: 3d4ec5ea20c497022f8582e2cb85fc42270da2d5a58874625bf1fb66982ce08e
Instruction Fuzzy Hash: DE3163B5101215AFEF229FA8DD84FDA3BA8FF0D324F010225FA98E6190C776D860DB54

Function 01033C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01033C5C
CoInitialize.OLE32(00000000), ref: 01033C8A
CoUninitialize.OLE32 ref: 01033C94
_wcslen.LIBCMT ref: 01033D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01033DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01033ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01033F0E
CoGetObject.OLE32(?,00000000,0104FB98,?), ref: 01033F2D
SetErrorMode.KERNEL32(00000000), ref: 01033F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01033FC4
VariantClear.OLEAUT32(?), ref: 01033FD8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a73e65d80eb157bed77e4f0044ace232e172586b1f716f4524502542a261d381
Instruction ID: 9b79e729b0a72f6c293053e31b9eff424417b3bd437ecaaed07699c2fd539351
Opcode Fuzzy Hash: a73e65d80eb157bed77e4f0044ace232e172586b1f716f4524502542a261d381
Instruction Fuzzy Hash: 15C130B1608205AFD700DF68C98496BBBE9FFC9748F00495DF98A9B250DB31ED05CB62

Function 01027A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01027AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01027B8F
SHGetDesktopFolder.SHELL32(?), ref: 01027BA3
CoCreateInstance.OLE32(0104FD08,00000000,00000001,01076E6C,?), ref: 01027BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01027C74
CoTaskMemFree.OLE32(?,?), ref: 01027CCC
SHBrowseForFolderW.SHELL32(?), ref: 01027D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01027D7A
CoTaskMemFree.OLE32(00000000), ref: 01027D81
CoTaskMemFree.OLE32(00000000), ref: 01027DD6
CoUninitialize.OLE32 ref: 01027DDC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c300afe1136869aa68e6f1f991b2cbae5f977ae44bca9881e5fb2000778b6a0c
Instruction ID: 130a4c421a298687c8f3bc3b71746e08d91dfa941b142d470b49b57c5af58be6
Opcode Fuzzy Hash: c300afe1136869aa68e6f1f991b2cbae5f977ae44bca9881e5fb2000778b6a0c
Instruction Fuzzy Hash: 3AC15A75A00119AFDB10DFA4C984DAEBBF9FF48304B148099E95ADB261DB35ED41CF90

Function 0104541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01045504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01045515
CharNextW.USER32(00000158), ref: 01045544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01045585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0104559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010455AC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d5e9dbba1298d340e55499dc7edec87fc48e05251f1203dca0489d19ccb6fab5
Instruction ID: c1812c1f21db25d5de79156116ff270b87f8f7a2ff096b1c1af1afeb10483791
Opcode Fuzzy Hash: d5e9dbba1298d340e55499dc7edec87fc48e05251f1203dca0489d19ccb6fab5
Instruction Fuzzy Hash: E361B4F4904209AFEF209F54CDC49FE7BB9EF0A724F008165FAA59B280D7759A41CB60

Function 0100FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0100FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0100FB08
VariantInit.OLEAUT32(?), ref: 0100FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0100FB3A
VariantCopy.OLEAUT32(?,?), ref: 0100FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0100FBA1
VariantClear.OLEAUT32(?), ref: 0100FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0100FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0100FBCC
VariantClear.OLEAUT32(?), ref: 0100FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0100FBE9

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 55b9c58969ef0bb6115a652c3c31d6ea3e948f39b37748343c3ee0605afe8ab6
Instruction ID: 0fb7250ec9d79f920c610c1dda6d305b7b43c31d270a36220388b26203e2e684
Opcode Fuzzy Hash: 55b9c58969ef0bb6115a652c3c31d6ea3e948f39b37748343c3ee0605afe8ab6
Instruction Fuzzy Hash: 6D419374A0021ADFEB11DF68CA949EEBBB9FF48344F008055E985A7250CB35E945DFA0

Function 01019C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01019CA1
GetAsyncKeyState.USER32(000000A0), ref: 01019D22
GetKeyState.USER32(000000A0), ref: 01019D3D
GetAsyncKeyState.USER32(000000A1), ref: 01019D57
GetKeyState.USER32(000000A1), ref: 01019D6C
GetAsyncKeyState.USER32(00000011), ref: 01019D84
GetKeyState.USER32(00000011), ref: 01019D96
GetAsyncKeyState.USER32(00000012), ref: 01019DAE
GetKeyState.USER32(00000012), ref: 01019DC0
GetAsyncKeyState.USER32(0000005B), ref: 01019DD8
GetKeyState.USER32(0000005B), ref: 01019DEA

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e85e5f3924b5e8b33e3e1c7b323ce8604fad385ab3448b50f29f7937e5c9be41
Instruction ID: 97c50702794176a24cc2477290094bbeda338ab6110f1063bf3855ca78200e98
Opcode Fuzzy Hash: e85e5f3924b5e8b33e3e1c7b323ce8604fad385ab3448b50f29f7937e5c9be41
Instruction Fuzzy Hash: 1C41E5346047C96AFFB29668C5643B5BEE06B01308F4880DEDAC6565C7DBAD91C8C7A2

Function 0103055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010305BC
inet_addr.WSOCK32(?), ref: 0103061C
gethostbyname.WSOCK32(?), ref: 01030628
IcmpCreateFile.IPHLPAPI ref: 01030636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010307B9
WSACleanup.WSOCK32 ref: 010307BF

Strings

Ping, xrefs: 01030676

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0dd5225cadd8f9042cb6f3ac2d6865c9eaa0c7727cebf879faa29ad8a0ff8460
Instruction ID: 92aadd0b4a5f84c0bb2fec145d83339d26804eff1dd95bc6fd5746a3e48379d1
Opcode Fuzzy Hash: 0dd5225cadd8f9042cb6f3ac2d6865c9eaa0c7727cebf879faa29ad8a0ff8460
Instruction Fuzzy Hash: 5691C3749052019FE321CF19C989F1ABBE4BF84318F048599F5AA8B7A6C735EC45CF91

Function 01038CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01038CF3

Part of subcall function 01018E54: _wcslen.LIBCMT ref: 01018E77

_wcslen.LIBCMT ref: 01038D4E
_wcslen.LIBCMT ref: 01038D9C
_wcslen.LIBCMT ref: 01038DDC
_wcslen.LIBCMT ref: 01038E6E

Strings

winapi, xrefs: 01038D96, 01038D9B
stdcall, xrefs: 01038DD6, 01038DDB
none, xrefs: 01038E65, 01038E6A
cdecl, xrefs: 01038D48, 01038D4D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1abfc9e8a769c206ca23f5d985736cf79983ded89c6c4a6ee2a5c1e12aa5091d
Instruction ID: bae8a822edfc28dc62f61076d3113e1f51b205a74666ba1fa50e950a179c98ba
Opcode Fuzzy Hash: 1abfc9e8a769c206ca23f5d985736cf79983ded89c6c4a6ee2a5c1e12aa5091d
Instruction Fuzzy Hash: 1351C431A001169BCF15EF6CC9508BEB7E9BF94720B2483AAF5A6E7285D735DD40C7A0

Function 0103372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01033774
CoUninitialize.OLE32 ref: 0103377F
CoCreateInstance.OLE32(?,00000000,00000017,0104FB78,?), ref: 010337D9
IIDFromString.OLE32(?,?), ref: 0103384C
VariantInit.OLEAUT32(?), ref: 010338E4
VariantClear.OLEAUT32(?), ref: 01033936

Strings

NULL Pointer assignment, xrefs: 0103381E
Failed to create object, xrefs: 010337E4, 0103389A
Invalid parameter, xrefs: 01033865

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a5a58f6cbe5b119ebe34b4ec18b1f1c560aec8a70d4ffac326c7776ee78c5b32
Instruction ID: 7f631f2afbb3b3618427e714c55ea0764ae0b66b6dcbadf35db226759cfda0ff
Opcode Fuzzy Hash: a5a58f6cbe5b119ebe34b4ec18b1f1c560aec8a70d4ffac326c7776ee78c5b32
Instruction Fuzzy Hash: 80619C74608301AFD321DF54C989BAABBE8BF89714F00085DF9C59B291C774E948CB92

Function 01023388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010233CF

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010233F0

Strings

"%s" (%d) : ==> %s:, xrefs: 01023522
Line %d (File "%s"):, xrefs: 01023443, 0102345C
"%s" (%d) : ==> %s:%s%s, xrefs: 01023504
Incorrect parameters to object property !, xrefs: 010234AB
Error: , xrefs: 010234D1
^ ERROR , xrefs: 0102349E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 44eee44cd142298d2463b0bcaa89d9c197d7a2c2ca33ff24fffd059d338262a1
Instruction ID: 1e27c79796ca1e095b1125224ff9423b2d1e3714426d4cc16bb2f94801398016
Opcode Fuzzy Hash: 44eee44cd142298d2463b0bcaa89d9c197d7a2c2ca33ff24fffd059d338262a1
Instruction Fuzzy Hash: 1951AF7180021AABDF14EBA1CE42EEEB7B9AF18340F544065F14576051EB3A6F98EF60

Function 0101B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0101B5FC
_wcslen.LIBCMT ref: 0101B608
_wcslen.LIBCMT ref: 0101B64D
_wcslen.LIBCMT ref: 0101B68C
_wcslen.LIBCMT ref: 0101B6C7

Strings

APPEND, xrefs: 0101B6C1, 0101B6C6
REMOVE, xrefs: 0101B602, 0101B607
EXISTS, xrefs: 0101B686, 0101B68B
KEYS, xrefs: 0101B647, 0101B64C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: db5cc2f033e14e9ce3333a026d440e6e2570b5a327a8659431f671696be4f246
Instruction ID: 344037a81e8ad4996cbbe34c8fae9f490b3d83c2d954e6abbb0ab0502a029b20
Opcode Fuzzy Hash: db5cc2f033e14e9ce3333a026d440e6e2570b5a327a8659431f671696be4f246
Instruction Fuzzy Hash: E7412932A000268BCB206F7DCC905BEBBF1BF78694B144569E5A1D7289F73DC881C790

Function 01025393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01025416
GetLastError.KERNEL32 ref: 01025420
SetErrorMode.KERNEL32(00000000,READY), ref: 010254A7

Strings

READY, xrefs: 01025460, 01025468
NOTREADY, xrefs: 0102544B
INVALID, xrefs: 01025459
READONLY, xrefs: 01025452
UNKNOWN, xrefs: 01025444

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8bf968f0f3c3e940781094b82272a955aca0e891e095b49871db0132b5152493
Instruction ID: 09bcd0a8200c8e2ae209060d5bab76cb7b44dae8602b93fb3a2c901d8677e1d1
Opcode Fuzzy Hash: 8bf968f0f3c3e940781094b82272a955aca0e891e095b49871db0132b5152493
Instruction Fuzzy Hash: B931A075A002149FE711DF68C984AEABBF4FF45309F048096E946CB292DB75ED46CB90

Function 01043C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01043C79
SetMenu.USER32(?,00000000), ref: 01043C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01043D10
IsMenu.USER32(?), ref: 01043D24
CreatePopupMenu.USER32 ref: 01043D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01043D5B
DrawMenuBar.USER32 ref: 01043D63

Strings

F, xrefs: 01043D4E
0, xrefs: 01043C54

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 80e646026f6307c884699bf949e28201bb044dfb89809b3146799fdf846f1287
Instruction ID: 4f3265965213ce97a016f897a0070f44530edacb5266dcc77e4e031b1141f351
Opcode Fuzzy Hash: 80e646026f6307c884699bf949e28201bb044dfb89809b3146799fdf846f1287
Instruction Fuzzy Hash: BD418DB8A01219AFEB24DF64E984A9E7BF5FF49310F040068FAC69B350D735A910CF94

Function 01011EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 01011F64
GetDlgCtrlID.USER32 ref: 01011F6F
GetParent.USER32 ref: 01011F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 01011F8E
GetDlgCtrlID.USER32(?), ref: 01011F97
GetParent.USER32(?), ref: 01011FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 01011FAE

Strings

ComboBox, xrefs: 01011EEC
ListBox, xrefs: 01011F21

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ea2de4f35d8b81d3edb5eeb74f3529236e21adb09ba6da51e85a5296a15997f9
Instruction ID: f22e7ca799e536830bc0279e220bc39ad67340db2d8b7e0935be94429b9dd313
Opcode Fuzzy Hash: ea2de4f35d8b81d3edb5eeb74f3529236e21adb09ba6da51e85a5296a15997f9
Instruction Fuzzy Hash: 8C21B0B4900218BBDF14AFA5CD849FEBBB8AF19310F004159BAA167295DB7D94089B64

Function 01011FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 01012043
GetDlgCtrlID.USER32 ref: 0101204E
GetParent.USER32 ref: 0101206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0101206D
GetDlgCtrlID.USER32(?), ref: 01012076
GetParent.USER32(?), ref: 0101208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0101208D

Strings

ComboBox, xrefs: 01011FCD
ListBox, xrefs: 01012002

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 94179b4190ef3499931684abe1a2c45b8f63ad891bb2d4a1ed05430b2d010fa0
Instruction ID: ae9c9961b5a7303f2d501f078f46581937d5c69dcd334541a8035bc550b5b835
Opcode Fuzzy Hash: 94179b4190ef3499931684abe1a2c45b8f63ad891bb2d4a1ed05430b2d010fa0
Instruction Fuzzy Hash: A921FFB5900218BBDF11AFA0CD84EFEBFB8AF08300F104045BA95A7196DA7E9404DB60

Function 01043A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01043A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01043AA0
GetWindowLongW.USER32(?,000000F0), ref: 01043AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01043AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01043B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01043BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01043BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01043BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01043BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01043C13

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: efbd51dd73f3366a9a2f20f8aa8b1f22ab6d884532d08f3d0fc6daf648529621
Instruction ID: 1579072107cc0897af28ddc8dbca7ca3ed0a787975245045b42f99abb18caf7f
Opcode Fuzzy Hash: efbd51dd73f3366a9a2f20f8aa8b1f22ab6d884532d08f3d0fc6daf648529621
Instruction Fuzzy Hash: 7D6159B5900218AFDB20DFA8CC81EEE77F8BF09700F1041A9EA95AB291C774A945DB50

Function 0101B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0101B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B165
GetWindowThreadProcessId.USER32(00000000), ref: 0101B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0101B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B21D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6ed0f184e855777b9a56b2332480f1bd168422173e8dd34e4a03273094b0895d
Instruction ID: 52e850520752afe0b3c44dd1b9ffeb3076f4ea892b1538d785d3e21a038d242c
Opcode Fuzzy Hash: 6ed0f184e855777b9a56b2332480f1bd168422173e8dd34e4a03273094b0895d
Instruction Fuzzy Hash: 0A31F5B5100604BFEB359F68D994FAD7BB9BB95711F108044FAC0CA188C7BDD8018F20

Function 00FE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE2C94

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FE2CA0
_free.LIBCMT ref: 00FE2CAB
_free.LIBCMT ref: 00FE2CB6
_free.LIBCMT ref: 00FE2CC1
_free.LIBCMT ref: 00FE2CCC
_free.LIBCMT ref: 00FE2CD7
_free.LIBCMT ref: 00FE2CE2
_free.LIBCMT ref: 00FE2CED
_free.LIBCMT ref: 00FE2CFB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: acee691b7dff52a68b8ec3917334d22aa886d9ab1f50b593634eaa98bb948c8e
Instruction ID: 84606fcfc17b61cd01b7b8bd839f31c9fd2f53774bdb59127380fe9b30c41a78
Opcode Fuzzy Hash: acee691b7dff52a68b8ec3917334d22aa886d9ab1f50b593634eaa98bb948c8e
Instruction Fuzzy Hash: 7811C67610014CAFCB82EF5ADC42CDD3BB9FF05350F425490F9485B222E639EA50BB91

Function 01027DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01027FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01027FC1
GetFileAttributesW.KERNEL32(?), ref: 01027FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01028005
SetCurrentDirectoryW.KERNEL32(?), ref: 01028017
SetCurrentDirectoryW.KERNEL32(?), ref: 01028060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010280B0

Strings

*.*, xrefs: 01028066

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0ca43ab246d35a145c8fa4c2d29e8a381e92118b8867db6bd5580a7e8e41faa2
Instruction ID: 2e349e69ef1395d745b00b4b663212f5cd725403fe0b498afc28bc4d7ef5533d
Opcode Fuzzy Hash: 0ca43ab246d35a145c8fa4c2d29e8a381e92118b8867db6bd5580a7e8e41faa2
Instruction Fuzzy Hash: 0881C2725043119BDB64EF18C8849AEB7E8BF98310F148C5EF9C5C7251E739E945CBA2

Function 00FB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FB5C7A

Part of subcall function 00FB5D0A: GetClientRect.USER32(?,?), ref: 00FB5D30
Part of subcall function 00FB5D0A: GetWindowRect.USER32(?,?), ref: 00FB5D71
Part of subcall function 00FB5D0A: ScreenToClient.USER32(?,?), ref: 00FB5D99

GetDC.USER32 ref: 00FF46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FF4708
SelectObject.GDI32(00000000,00000000), ref: 00FF4716
SelectObject.GDI32(00000000,00000000), ref: 00FF472B
ReleaseDC.USER32(?,00000000), ref: 00FF4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FF47C4

Strings

U, xrefs: 00FF4693

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 16883055be64d7cdea2924965c37357583419feed9a58c1cbf25ee7d0529f3a3
Instruction ID: f95c2f794b3199f8309eac597c0f52e84cb6eaa9a65b95b055d486045819d1e9
Opcode Fuzzy Hash: 16883055be64d7cdea2924965c37357583419feed9a58c1cbf25ee7d0529f3a3
Instruction Fuzzy Hash: B971F376800209DFCF219F64C984AFB7BB2FF4A364F144269EE919A179C335A841EF50

Function 0102359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010235E4

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

LoadStringW.USER32(01082390,?,00000FFF,?), ref: 0102360A

Strings

"%s" (%d) : ==> %s:, xrefs: 01023742
Line %d (File "%s"):, xrefs: 0102366B
"%s" (%d) : ==> %s:%s%s, xrefs: 01023724
Error: , xrefs: 010236EF
^ ERROR, xrefs: 010236C9

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: e5638ad1e4ac1a3d5d0ce288de49b2dd47517d8ffc33a493fab4cb8027466d85
Instruction ID: 7a7056087d6932037015b2adaac1e9281d33fe925db0ddabd15fba86aba58a04
Opcode Fuzzy Hash: e5638ad1e4ac1a3d5d0ce288de49b2dd47517d8ffc33a493fab4cb8027466d85
Instruction Fuzzy Hash: 8A51A071C0021ABBDF24EBA1CC82EEEBB79BF14300F544165F24576051DB395A99EFA0

Function 0102C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0102C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0102C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0102C2CA
GetLastError.KERNEL32 ref: 0102C322
SetEvent.KERNEL32(?), ref: 0102C336
InternetCloseHandle.WININET(00000000), ref: 0102C341

Strings

, xrefs: 0102C2BB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 02ef89064dafa8935bbc43d99a2f7e0f2993f18100162b27e060c68605fad0d5
Instruction ID: 521e8f971c50e9a5a91dbf990b22d4a2406256d073403268618df643fe5d3edb
Opcode Fuzzy Hash: 02ef89064dafa8935bbc43d99a2f7e0f2993f18100162b27e060c68605fad0d5
Instruction Fuzzy Hash: A831A2B1500614AFF731DF688B84AAF7BFCEB49644B04895DE4CAD3200DB75DA448B60

Function 0101989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FF3AAF,?,?,Bad directive syntax error,0104CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010198BC
LoadStringW.USER32(00000000,?,00FF3AAF,?), ref: 010198C3

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01019987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 010198F1
Line %d (File "%s"):, xrefs: 0101992D
., xrefs: 0101996D
Error: , xrefs: 01019955
Line %d:, xrefs: 01019912

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 614f354ff2d36305073012bf7f0a4f88f4679a7eef3618a4d13c1b9b43444c6e
Instruction ID: 28b0163a08152313af14063ee6056dee99eb8c968a0247a3dc14c6dc21a19c39
Opcode Fuzzy Hash: 614f354ff2d36305073012bf7f0a4f88f4679a7eef3618a4d13c1b9b43444c6e
Instruction Fuzzy Hash: 7121A031C4021EBBDF11AF91CC46EEE7B76BF18304F044469F655660A2EB7A9658DF10

Function 0101209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0101214D

Strings

details, xrefs: 010120FB
SHELLDLL_DefView, xrefs: 010120CC
largeicons, xrefs: 010120E1
smallicons, xrefs: 01012115
list, xrefs: 0101212F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6e730aa9130c38932f496d9fcf5af03e1561afc4c66b2974cb628206411b3aba
Instruction ID: 6872161c5fefbdbff34f14ea41fc951f5e4823afac3801d4591210f27bde6b29
Opcode Fuzzy Hash: 6e730aa9130c38932f496d9fcf5af03e1561afc4c66b2974cb628206411b3aba
Instruction Fuzzy Hash: 02113D7E584306B6F6157524DC06CFA339CCB15324B30005AFB84A8096FA7D74015A18

Function 00FE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85c585f87b38ac7ec176d0d37f9ccd66126197b84f65351b33e1393e7fc1d75
Instruction ID: 48425190d77af11c2b32ca5bfc872d0380ac03574edf7ca640afa96e3f296b60
Opcode Fuzzy Hash: f85c585f87b38ac7ec176d0d37f9ccd66126197b84f65351b33e1393e7fc1d75
Instruction Fuzzy Hash: F6C12775D082C99FCB11EFAACC40BAD7BB1AF09320F044199F559A7392C7798941EB70

Function 00FECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FECEB7
_free.LIBCMT ref: 00FECF22
_free.LIBCMT ref: 00FECF48
_free.LIBCMT ref: 00FECF71
_free.LIBCMT ref: 00FECFA9
_free.LIBCMT ref: 00FECFDA
_free.LIBCMT ref: 00FED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FED09C
_free.LIBCMT ref: 00FED0B5

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 25a0ebe6e278a9aaac0911378e6fbd98e0a7d59347e170ba4b19bb2693ed01ce
Instruction ID: fcbff18871cdf071d1e6cde6d1df71ba479c73c54c2dcd36b3343c1e9bc74cf9
Opcode Fuzzy Hash: 25a0ebe6e278a9aaac0911378e6fbd98e0a7d59347e170ba4b19bb2693ed01ce
Instruction Fuzzy Hash: CD613B72D043C46FDB21AF769C41A6D7BA5AF05320F04416EF98197246E73A9D02B7A1

Function 010450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01045186
ShowWindow.USER32(?,00000000), ref: 010451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010451D1

Part of subcall function 01046FBA: DeleteObject.GDI32(00000000), ref: 01046FE6

GetWindowLongW.USER32(?,000000F0), ref: 0104520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0104521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0104524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01045287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01045296

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: aa06062ed3d3470cb30185c1c93e956d62179caef898f43797832abba3887389
Instruction ID: d21710cf8813dec88a680676ac0ac6a0b35a72157ebd40dc425dbf9de134eb8f
Opcode Fuzzy Hash: aa06062ed3d3470cb30185c1c93e956d62179caef898f43797832abba3887389
Instruction Fuzzy Hash: CF51B5B0A41209BFFF309E28CDCABD93BA5FF45321F148062F695962E1D775A580DB41

Function 00FC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01006890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FC8874,00000000,00000000,00000000,000000FF,00000000), ref: 01006901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0100691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FC8874,00000000,00000000,00000000,000000FF,00000000), ref: 0100692D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bd9ad2f3a676178766c0546e142e364066a1f0e181d4b939a533af1feb8ca0f4
Instruction ID: 8f7237f42310ca5ce58abd9a817eeee3cde6754f8147af49ae39fa26c6de8404
Opcode Fuzzy Hash: bd9ad2f3a676178766c0546e142e364066a1f0e181d4b939a533af1feb8ca0f4
Instruction Fuzzy Hash: 4F516DB0600206EFEB21CF24C986FAA7BB6FF84750F104518F986972D0DB76E951DB50

Function 0102C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0102C182
GetLastError.KERNEL32 ref: 0102C195
SetEvent.KERNEL32(?), ref: 0102C1A9

Part of subcall function 0102C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0102C272
Part of subcall function 0102C253: GetLastError.KERNEL32 ref: 0102C322
Part of subcall function 0102C253: SetEvent.KERNEL32(?), ref: 0102C336
Part of subcall function 0102C253: InternetCloseHandle.WININET(00000000), ref: 0102C341

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 232aedf45038018b8424d9fe5d94a60415572e710437672e3050c1fa87938896
Instruction ID: 640084dff43e9a1509816410361e1e9bb4bbc807213df7be13b10917ecf36c07
Opcode Fuzzy Hash: 232aedf45038018b8424d9fe5d94a60415572e710437672e3050c1fa87938896
Instruction Fuzzy Hash: AB31A0B5101651AFFB319FA9DB44A6EBBF8FF19200B00441DF99A83604DB36E414DBA0

Function 010125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01013A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013A57
Part of subcall function 01013A3D: GetCurrentThreadId.KERNEL32 ref: 01013A5E
Part of subcall function 01013A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010125B3), ref: 01013A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01012601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01012605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0101260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01012623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01012627

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: accd2ec66694d5056f725708e02febd7befb873eae7f604a63714d180d40a7cb
Instruction ID: dc9f13e224ddc11458fa0f06c0b6388d65d3c85390d919aecb7b065fa3491c46
Opcode Fuzzy Hash: accd2ec66694d5056f725708e02febd7befb873eae7f604a63714d180d40a7cb
Instruction Fuzzy Hash: A301D871791210BBFB2066689DCAF593F59EB4EB11F500001F398AE0D8C9F624448BA9

Function 01011803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01011449,?,?,00000000), ref: 0101180C
HeapAlloc.KERNEL32(00000000,?,01011449,?,?,00000000), ref: 01011813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01011449,?,?,00000000), ref: 01011828
GetCurrentProcess.KERNEL32(?,00000000,?,01011449,?,?,00000000), ref: 01011830
DuplicateHandle.KERNEL32(00000000,?,01011449,?,?,00000000), ref: 01011833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01011449,?,?,00000000), ref: 01011843
GetCurrentProcess.KERNEL32(01011449,00000000,?,01011449,?,?,00000000), ref: 0101184B
DuplicateHandle.KERNEL32(00000000,?,01011449,?,?,00000000), ref: 0101184E
CreateThread.KERNEL32(00000000,00000000,01011874,00000000,00000000,00000000), ref: 01011868

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 72a351420129b8021671a6c52212de14f23487cf284d129d59264ab2377bb0e2
Instruction ID: ced7f5abe87cf8049183c6992050c25ae0887f4cc5b7670900e200c84eb09805
Opcode Fuzzy Hash: 72a351420129b8021671a6c52212de14f23487cf284d129d59264ab2377bb0e2
Instruction Fuzzy Hash: 6601BFB5241304BFF720ABB5DE8DF573B6CEB89B11F004411FA45DB195C6759800CB20

Function 0103A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0101D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0101D501
Part of subcall function 0101D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0101D50F
Part of subcall function 0101D4DC: CloseHandle.KERNEL32(00000000), ref: 0101D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103A16D
GetLastError.KERNEL32 ref: 0103A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0103A268
GetLastError.KERNEL32(00000000), ref: 0103A273
CloseHandle.KERNEL32(00000000), ref: 0103A2C4

Strings

SeDebugPrivilege, xrefs: 0103A18F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 58bf0a142bb3184e53ab1b3b7c6752b42eb0631f90ef3f215efef377c7d28de7
Instruction ID: 7efbd9fdcc761551708f6b1fb2cf14a92f82e6ceadb5430050687fcee52e1a6c
Opcode Fuzzy Hash: 58bf0a142bb3184e53ab1b3b7c6752b42eb0631f90ef3f215efef377c7d28de7
Instruction Fuzzy Hash: 4761B374204242DFE720DF19C494F6ABBE5AF84318F18848CE5E68B7A3C776E945CB91

Function 01043886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01043925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0104393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01043954
_wcslen.LIBCMT ref: 01043999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010439F4

Strings

SysListView32, xrefs: 010438F7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 9a5e152c003ed892af0bcfd5e53ccace4329f1f3e68e02d86003adab1eb94f09
Instruction ID: 4c3704be7119cf9d01c791312b8dcd4247625003295a869204a19c8873c31b7e
Opcode Fuzzy Hash: 9a5e152c003ed892af0bcfd5e53ccace4329f1f3e68e02d86003adab1eb94f09
Instruction Fuzzy Hash: DE4197B1A00319ABEF219F64CC85BEE7BA9FF08350F10156AF994EB281D7759950CB90

Function 0101BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0101BCFD
IsMenu.USER32(00000000), ref: 0101BD1D
CreatePopupMenu.USER32 ref: 0101BD53
GetMenuItemCount.USER32(00AC5B28), ref: 0101BDA4
InsertMenuItemW.USER32(00AC5B28,?,00000001,00000030), ref: 0101BDCC

Strings

2, xrefs: 0101BD37
0, xrefs: 0101BCA8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2f7bef85db78c9f44a797cfb0df7d3f38a429c97d19c8e7856b8a3a72adc8b78
Instruction ID: 7ffcce6f62ca112f8f4478ece3632145fe7639d5b7b8e87d4b77f64d61ced8be
Opcode Fuzzy Hash: 2f7bef85db78c9f44a797cfb0df7d3f38a429c97d19c8e7856b8a3a72adc8b78
Instruction Fuzzy Hash: BD5121706002059BEF28EFACC9C4BAEBFF4BF45314F544199E581DB288E7789941CB52

Function 0101C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0101C913

Strings

question, xrefs: 0101C8CC
stop, xrefs: 0101C8E4
blank, xrefs: 0101C895
warning, xrefs: 0101C8FC
info, xrefs: 0101C8B4

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a673924f3ced525eb902be03f14d9d13dc3facfe3b9c71889165906184ef5db5
Instruction ID: d4a6c20b188f77d73c09d7fc629b4f3c1c792c19f9c79596279fddf0aee7c38e
Opcode Fuzzy Hash: a673924f3ced525eb902be03f14d9d13dc3facfe3b9c71889165906184ef5db5
Instruction Fuzzy Hash: CB110B316C9707BBB7015A589EC3C9E77DDEF05360B10006FF580AA286E77DE9005268

Function 0101DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0101DE42
gethostname.WSOCK32(?,00000100), ref: 0101DE5C
gethostbyname.WSOCK32(?), ref: 0101DE69
inet_ntoa.WSOCK32(?), ref: 0101DEAB
_strcat.LIBCMT ref: 0101DEB9
WSACleanup.WSOCK32 ref: 0101DEDE

Strings

0.0.0.0, xrefs: 0101DE87

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 9b7da019d144a6076543136edd1864dc7d1f204c18e6a6194da441fd0498e1d2
Instruction ID: af11211cc47ab38bcfc3ac15d16da272ba875b168a685cac8eafa276ebda5ae5
Opcode Fuzzy Hash: 9b7da019d144a6076543136edd1864dc7d1f204c18e6a6194da441fd0498e1d2
Instruction Fuzzy Hash: A8113671900109ABEB30BBB4DD4AEEE77ECEF10311F0401AAF58596185EF7D96819B60

Function 01049F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

GetSystemMetrics.USER32(0000000F), ref: 01049FC7
GetSystemMetrics.USER32(0000000F), ref: 01049FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0104A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0104A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0104A263
ShowWindow.USER32(00000003,00000000), ref: 0104A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0104A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0104A2CA

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 24ff3991109c64a05efcb0d0bce6da518b0020804cad51900617f483b96bfe40
Instruction ID: 524e1a3ddc5ae99f998ae8330b7f3b38dd7edd593df62f28fb3cb481e33048ab
Opcode Fuzzy Hash: 24ff3991109c64a05efcb0d0bce6da518b0020804cad51900617f483b96bfe40
Instruction Fuzzy Hash: A7B18AB1640215EBEB14CF6CCAC57AE3BF2BF48741F0481B9ED869B299D735A940CB50

Function 0101ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0101ED2A
_wcslen.LIBCMT ref: 0101ED3B
_wcslen.LIBCMT ref: 0101ED79
_wcslen.LIBCMT ref: 0101EDAF
_wcslen.LIBCMT ref: 0101EDDF
_wcslen.LIBCMT ref: 0101EDEF
_wcslen.LIBCMT ref: 0101EE2B
_wcslen.LIBCMT ref: 0101EE5A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7124936fba6156f1ffec1790a00116bcea5e754886dc97b52a8478161e7057d0
Instruction ID: b2c3b9482756ec7381cbd1213057c9cff8c5c0a63e0c9a90d23de417065f6896
Opcode Fuzzy Hash: 7124936fba6156f1ffec1790a00116bcea5e754886dc97b52a8478161e7057d0
Instruction Fuzzy Hash: 7E418365C1011876CB11EBB4CC8A9CFB7A9AF45710F548467FA14E3222FB38E255C7E6

Function 00FCF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 00FCF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 0100F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 0100F454

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c215e7a7c8265a730b5b29c30d29219e59a735144fd6cc9231184fe490b46c49
Instruction ID: fedf05df4ca5fb9bf36e11a06356e46dbf387706d8f88263680bf3f5991a1acc
Opcode Fuzzy Hash: c215e7a7c8265a730b5b29c30d29219e59a735144fd6cc9231184fe490b46c49
Instruction Fuzzy Hash: 30412E31918642BBEF798B2C8F89F69FF936B46320F04842DE5C756990C637A488E711

Function 01042D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01042D1B
GetDC.USER32(00000000), ref: 01042D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01042D2E
ReleaseDC.USER32(00000000,00000000), ref: 01042D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01042D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01042D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01045A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01042DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01042DE1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 11856e55cd5794d1c4d9a6cbcd148220496f58d50b257cd097ab4ca94383dc52
Instruction ID: b5e4bcc115bf929516129021f056c3b710f019ffa7ccbaeb7275de1b9358c96d
Opcode Fuzzy Hash: 11856e55cd5794d1c4d9a6cbcd148220496f58d50b257cd097ab4ca94383dc52
Instruction Fuzzy Hash: 0B31A2B62026147FFB214F54DD89FEB3FADEF09711F044065FE889A191C6759840C7A0

Function 01015622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01015637
_memcmp.LIBVCRUNTIME ref: 01015659
_memcmp.LIBVCRUNTIME ref: 01015671
_memcmp.LIBVCRUNTIME ref: 01015684
_memcmp.LIBVCRUNTIME ref: 0101569E
_memcmp.LIBVCRUNTIME ref: 010156B1
_memcmp.LIBVCRUNTIME ref: 010156C9
_memcmp.LIBVCRUNTIME ref: 010156E4

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b6cb62ee0745b40035f88b2060a8d4b56a6adc6619584d1c6c5bad3576f9edf0
Instruction ID: 7e35713f8b23e8d8f33cf938b2dc210dd3a0cedd4f43bb26f09d7cac159206ad
Opcode Fuzzy Hash: b6cb62ee0745b40035f88b2060a8d4b56a6adc6619584d1c6c5bad3576f9edf0
Instruction Fuzzy Hash: E921C9A174020ABBE21465296EC2FFE339DBF97284F080425FD849F646F76CED1085E5

Function 01034FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0103502E, 01035383
Not an Object type, xrefs: 01035007

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0ac068d654158bce93333a28f1ab394a73cc903d0eb65d0ec602391b84ed76d8
Instruction ID: 092b4769224ef4be8dccec49b0e2acec2e3a9016cf203a267795e5f110aa7129
Opcode Fuzzy Hash: 0ac068d654158bce93333a28f1ab394a73cc903d0eb65d0ec602391b84ed76d8
Instruction Fuzzy Hash: D3D18375A0020A9FDF10CF98CC84BAEB7F9BF88314F148469F995AB291E771D945CB90

Function 00FF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00FF15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FF1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FF16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FF16FB

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FF1777
__freea.LIBCMT ref: 00FF17A2
__freea.LIBCMT ref: 00FF17AE

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a1f016196e4515349f120fdc18f92b2ddded09100835251eeac01770553e4286
Instruction ID: 7c0f7986c114d0d166cd3bb4d208194c55ca1c80e7e0ff6e021d7e32f54be750
Opcode Fuzzy Hash: a1f016196e4515349f120fdc18f92b2ddded09100835251eeac01770553e4286
Instruction Fuzzy Hash: 6F91B172E0021EDADB209E75CD81AFE7BB5BF49320F1C0659EA05E7160DB25DD44EBA0

Function 01034523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01034648
VariantInit.OLEAUT32(?), ref: 01034749
VariantClear.OLEAUT32(?), ref: 01034753
VariantClear.OLEAUT32(?), ref: 010347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010345D8, 01034706, 010347BE
Incorrect Object type in FOR..IN loop, xrefs: 0103472C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5e1f280ab619292bb752f8698898ffc5338bbb7ea088a9c31573e5237dfc230e
Instruction ID: 5a238775f61989ea5ccb6a98784eda8e48c0122c0aec045c85f26808fe50a202
Opcode Fuzzy Hash: 5e1f280ab619292bb752f8698898ffc5338bbb7ea088a9c31573e5237dfc230e
Instruction Fuzzy Hash: 52916B71A00219ABDF25CFA9C888FAEBBB8FF85710F108559F545EF281D7709945CBA0

Function 01021187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0102125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01021284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0102135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01021430

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d1661cca5949474225001fc8de926c9839d46c01f6bf659da909a0caa3ae16f4
Instruction ID: e8d5e5bd11d7040642a18cf0201162fff677dc2870bcf695898292b8a687705e
Opcode Fuzzy Hash: d1661cca5949474225001fc8de926c9839d46c01f6bf659da909a0caa3ae16f4
Instruction Fuzzy Hash: 7C9107B5900229AFEB10DF98C884BFEB7B5FF45314F104069FA80E7291DB79A945CB90

Function 00FC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9969972717cb98195d0667bd97abb715e5bab3be6ecc1342408cc292c45ac4b3
Instruction ID: ee54861d7cf8b877c586b4bbddd3d9442919de9988b375ea6e7bb010dc2d50ae
Opcode Fuzzy Hash: 9969972717cb98195d0667bd97abb715e5bab3be6ecc1342408cc292c45ac4b3
Instruction Fuzzy Hash: B1915771D0420AAFDB11CFA9CD89EEEBBB8FF49320F148449E551B7291D378A941DB60

Function 01033947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0103396B
CharUpperBuffW.USER32(?,?), ref: 01033A7A
_wcslen.LIBCMT ref: 01033A8A
VariantClear.OLEAUT32(?), ref: 01033C1F

Part of subcall function 01020CDF: VariantInit.OLEAUT32(00000000), ref: 01020D1F
Part of subcall function 01020CDF: VariantCopy.OLEAUT32(?,?), ref: 01020D28
Part of subcall function 01020CDF: VariantClear.OLEAUT32(?), ref: 01020D34

Strings

AUTOIT.ERROR, xrefs: 01033A80, 01033A85
Incorrect Parameter format, xrefs: 010339A6, 01033BA1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 825d6b5907af8061cce45dd9450862747687f1ca59d4d75e17ae3255849cf220
Instruction ID: 4a1d3f838b1aab320dfcb891dc8385674e9edf1bb3b1cb27df405433bf3754a5
Opcode Fuzzy Hash: 825d6b5907af8061cce45dd9450862747687f1ca59d4d75e17ae3255849cf220
Instruction Fuzzy Hash: D0915974A083059FC714DF29C58196ABBE8FFC9314F04886DF9899B351DB35E905CB92

Function 01034BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0101000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?,?,0101035E), ref: 0101002B
Part of subcall function 0101000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010046
Part of subcall function 0101000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010054
Part of subcall function 0101000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?), ref: 01010064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01034C51
_wcslen.LIBCMT ref: 01034D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01034DCF
CoTaskMemFree.OLE32(?), ref: 01034DDA

Strings

NULL Pointer assignment, xrefs: 01034E23, 01034E52

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3417fd956037cd0b90015fbb3745fe200a76f032c4c4a14390d2441d4c7a91f1
Instruction ID: d5fd66cc1c08143291a63e6161c1aa7adec4632e16457e3093f494720b0cd619
Opcode Fuzzy Hash: 3417fd956037cd0b90015fbb3745fe200a76f032c4c4a14390d2441d4c7a91f1
Instruction Fuzzy Hash: 44911771D0021DAFDF15DFA5CC90AEEBBB9BF48310F10816AE955AB241DB749A44CFA0

Function 010420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01042183
GetMenuItemCount.USER32(00000000), ref: 010421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010421DD
_wcslen.LIBCMT ref: 01042213
GetMenuItemID.USER32(?,?), ref: 0104224D
GetSubMenu.USER32(?,?), ref: 0104225B

Part of subcall function 01013A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013A57
Part of subcall function 01013A3D: GetCurrentThreadId.KERNEL32 ref: 01013A5E
Part of subcall function 01013A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010125B3), ref: 01013A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010422E3

Part of subcall function 0101E97B: Sleep.KERNEL32 ref: 0101E9F3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4c1237c74083840183bf283eea12c69759e1fb0a773f0b446f4ed34df3eedf27
Instruction ID: dc5f6c3ad76a1bd948e42fc6426f2391271c78437f73c9bbed628964f8444e65
Opcode Fuzzy Hash: 4c1237c74083840183bf283eea12c69759e1fb0a773f0b446f4ed34df3eedf27
Instruction Fuzzy Hash: 8F7192B5A00205AFCB10DF69D981AAEBBF1EF48310F1484A9F956EB345D734A9418F90

Function 01047E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00AC5B00), ref: 01047F37
IsWindowEnabled.USER32(00AC5B00), ref: 01047F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0104801E
SendMessageW.USER32(00AC5B00,000000B0,?,?), ref: 01048051
IsDlgButtonChecked.USER32(?,?), ref: 01048089
GetWindowLongW.USER32(00AC5B00,000000EC), ref: 010480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010480C3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: f778eae5d88624a3265f25f06582056385d26fa5d17d4742b191f27ce491f284
Instruction ID: 15e813fe70054b0f7d2c44128d4336cab9839ed77a7b8c6826dc5cb5344d2933
Opcode Fuzzy Hash: f778eae5d88624a3265f25f06582056385d26fa5d17d4742b191f27ce491f284
Instruction Fuzzy Hash: 9D717EB4605205AFEB719F68C9C4FEA7BF9EF09300F1448AAFAD597251C732A845DB10

Function 0101AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0101AEF9
GetKeyboardState.USER32(?), ref: 0101AF0E
SetKeyboardState.USER32(?), ref: 0101AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0101AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0101AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0101AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0101B020

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a525477714e44b0d051c2ef0174336db3c7e83cc401f609a255ead36e329d7ce
Instruction ID: d3e321d5ad8f2c3e79ff8acbb2a54f235b92e532d6a2875c9f8c06dfb0bec25e
Opcode Fuzzy Hash: a525477714e44b0d051c2ef0174336db3c7e83cc401f609a255ead36e329d7ce
Instruction Fuzzy Hash: 6151D1A0A057D57DFB3782788845BBABEE95B06304F0885CDF2D9468C7C39DA8C8D760

Function 0101ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0101AD19
GetKeyboardState.USER32(?), ref: 0101AD2E
SetKeyboardState.USER32(?), ref: 0101AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0101ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0101ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0101AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0101AE38

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 039ac5a131498e9e7a40896ac07014e6a4d2b6f5ab3b8b41f2be0b40ec07ea16
Instruction ID: 99d91cfcc7b44c6ef6283dbc57b2f6aa96953c0d1b194b4c6d40848e2ac7199a
Opcode Fuzzy Hash: 039ac5a131498e9e7a40896ac07014e6a4d2b6f5ab3b8b41f2be0b40ec07ea16
Instruction Fuzzy Hash: C451E6A17067D57EFB3392388C95BBA7EE85B46304F0884C8E1D6474C7C2ACE898D760

Function 00FE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00FF3CD6,?,?,?,?,?,?,?,?,00FE5BA3,?,?,00FF3CD6,?,?), ref: 00FE5470
__fassign.LIBCMT ref: 00FE54EB
__fassign.LIBCMT ref: 00FE5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FF3CD6,00000005,00000000,00000000), ref: 00FE552C
WriteFile.KERNEL32(?,00FF3CD6,00000000,00FE5BA3,00000000,?,?,?,?,?,?,?,?,?,00FE5BA3,?), ref: 00FE554B
WriteFile.KERNEL32(?,?,00000001,00FE5BA3,00000000,?,?,?,?,?,?,?,?,?,00FE5BA3,?), ref: 00FE5584

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 64d65abc6fc38b212ee8576d5a3b2355a05f11addaac1f101065d479b2f3d714
Instruction ID: 87750800e593e6ea42c5f75c979658d7f83324735488147074fd5150cc1ddbcb
Opcode Fuzzy Hash: 64d65abc6fc38b212ee8576d5a3b2355a05f11addaac1f101065d479b2f3d714
Instruction Fuzzy Hash: 0251F4B1E007899FDB10CFA9D885AEEBBF9EF09714F18401AF955E7291D7309A40CB61

Function 00FD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FD2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FD2D53
_ValidateLocalCookies.LIBCMT ref: 00FD2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FD2E0C
_ValidateLocalCookies.LIBCMT ref: 00FD2E61

Strings

csm, xrefs: 00FD2DF6

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 811ead290f6ca6e25e7ab806dd53471c821e59ea5a97166d6f1da7c9be1d91d1
Instruction ID: f4f419129e76a745e7193962e0fa2c70289b89ed1623df99a0da5806d9ff5a3e
Opcode Fuzzy Hash: 811ead290f6ca6e25e7ab806dd53471c821e59ea5a97166d6f1da7c9be1d91d1
Instruction Fuzzy Hash: 6D41D235E00209ABCF10DF68CC85A9EBBB7BF54324F188156F9146B352D7369A01EBD1

Function 010310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103304E: inet_addr.WSOCK32(?), ref: 0103307A
Part of subcall function 0103304E: _wcslen.LIBCMT ref: 0103309B

socket.WSOCK32(00000002,00000001,00000006), ref: 01031112
WSAGetLastError.WSOCK32 ref: 01031121
WSAGetLastError.WSOCK32 ref: 010311C9
closesocket.WSOCK32(00000000), ref: 010311F9

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 7cde7b6ac8633170911b9ccbe3567097361c889f1e9b0f01fcc607236720d319
Instruction ID: 852b0721eb4c9df7a78454de07223be2b961de69cd1adda68514094cdcb42d6a
Opcode Fuzzy Hash: 7cde7b6ac8633170911b9ccbe3567097361c889f1e9b0f01fcc607236720d319
Instruction Fuzzy Hash: 4B41D9756001049FE7109F14C984BEAB7EDFF85364F048099FC959B285C775AD41CBE1

Function 0101CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0101CF22,?), ref: 0101DDFD

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0101CF22,?), ref: 0101DE16

lstrcmpiW.KERNEL32(?,?), ref: 0101CF45
MoveFileW.KERNEL32(?,?), ref: 0101CF7F
_wcslen.LIBCMT ref: 0101D005
_wcslen.LIBCMT ref: 0101D01B
SHFileOperationW.SHELL32(?), ref: 0101D061

Strings

\*.*, xrefs: 0101CFF3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: eb6efa8210daa6223b92e182b865afc7adcdae302984862ffc167375960af6b6
Instruction ID: bf90a73e4dddbc2d07c81562cd00f78fea401f18f8ce394ea67085a2c44229d3
Opcode Fuzzy Hash: eb6efa8210daa6223b92e182b865afc7adcdae302984862ffc167375960af6b6
Instruction Fuzzy Hash: 754158719451195FEF52EFA4CE81ADD77F8AF08380F0400EAD549EB145EB39E644CB50

Function 01042DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01042E1C
GetWindowLongW.USER32(?,000000F0), ref: 01042E4F
GetWindowLongW.USER32(?,000000F0), ref: 01042E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01042EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01042EE0
GetWindowLongW.USER32(?,000000F0), ref: 01042EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01042F0B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 45676e78c04450f6f6a4d4217427411d6f5b28d6a897a14f045754ae194806ae
Instruction ID: 320ea6dc2e74fc20058ff8168729c98e1f3c40bd74e4faf057fe88361234f151
Opcode Fuzzy Hash: 45676e78c04450f6f6a4d4217427411d6f5b28d6a897a14f045754ae194806ae
Instruction Fuzzy Hash: D33114B4705140AFEB31CF59EDC4F6937E0EB4A710F1501A4FAD48B2A6CB76A841DB40

Function 01017726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01017769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101778F
SysAllocString.OLEAUT32(00000000), ref: 01017792
SysAllocString.OLEAUT32(?), ref: 010177B0
SysFreeString.OLEAUT32(?), ref: 010177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010177DE
SysAllocString.OLEAUT32(?), ref: 010177EC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e1e32eca6f53e80600062d1788e8ec9850fa8be21619ecc08d1dcdcd4ce86e82
Instruction ID: 7c74563e06a2289fe3c83db1da9f979c8a893b40b7086a8608178a55c058d577
Opcode Fuzzy Hash: e1e32eca6f53e80600062d1788e8ec9850fa8be21619ecc08d1dcdcd4ce86e82
Instruction Fuzzy Hash: 6B21F47A600209AFEF10EEACCE88DBB77ECFB09360B008065FA55CB155DA78DC418760

Function 010177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01017842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01017868
SysAllocString.OLEAUT32(00000000), ref: 0101786B
SysAllocString.OLEAUT32 ref: 0101788C
SysFreeString.OLEAUT32 ref: 01017895
StringFromGUID2.OLE32(?,?,00000028), ref: 010178AF
SysAllocString.OLEAUT32(?), ref: 010178BD

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a7c396bd44c2444a34fefed6ec427ba50aa9a93f375019dec7751574a31218e9
Instruction ID: e45170af0632a4299dbba1e6259ebc1a1ee6f489e6c41fe15c492e331c763ed7
Opcode Fuzzy Hash: a7c396bd44c2444a34fefed6ec427ba50aa9a93f375019dec7751574a31218e9
Instruction Fuzzy Hash: 4B21D375600204AFEB10AFBCCD88DBA77ECEB093607108025F955CB2A9DA78DC41CB74

Function 010205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01020601

Strings

nul, xrefs: 01020639

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9e51155dcfdc4b220d6c0ef6a704bee9f058238131a24a50367285645aa7ac36
Instruction ID: f278eca44fc3b19ac8a3e391566578a5deb120ff713a81c6d59821a442cc63ab
Opcode Fuzzy Hash: 9e51155dcfdc4b220d6c0ef6a704bee9f058238131a24a50367285645aa7ac36
Instruction Fuzzy Hash: 2921B7755003259FEB309F6DC948A9AB7E8BF89724F300A59F9E1D72E8D7B19540CB10

Function 010204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0102052E

Strings

nul, xrefs: 01020567

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 97e235d0a4ead5be97bac1447cfa1fd0c149858191ddce85ec865082bd051e48
Instruction ID: 498becabaaf189deb0e0af3163bc2a1cf922b1dad7de975c61cfcae5dfeefa8d
Opcode Fuzzy Hash: 97e235d0a4ead5be97bac1447cfa1fd0c149858191ddce85ec865082bd051e48
Instruction Fuzzy Hash: 3E21BFB4600329EFEB208F29D944A9BBBF4AF44720F204A58F9E1D72E8D7709540CB60

Function 010440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB604C
Part of subcall function 00FB600E: GetStockObject.GDI32(00000011), ref: 00FB6060
Part of subcall function 00FB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01044112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0104411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0104412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01044139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01044145

Strings

Msctls_Progress32, xrefs: 010440E3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8831fe2b7316dd7f6e6645f9fe543fd11f41fa11ffacec137addd7eef1b31406
Instruction ID: a145b7533c54ec7d5d7c9247f6e6ecfc236db080dc8adfe2ac8a27c918c4920b
Opcode Fuzzy Hash: 8831fe2b7316dd7f6e6645f9fe543fd11f41fa11ffacec137addd7eef1b31406
Instruction Fuzzy Hash: 5711B2B215021DBFFF219E65CC85EEB7F9DEF08798F018121BA58E6050C6769C21DBA4

Function 00FED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FED7A3: _free.LIBCMT ref: 00FED7CC

_free.LIBCMT ref: 00FED82D

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FED838
_free.LIBCMT ref: 00FED843
_free.LIBCMT ref: 00FED897
_free.LIBCMT ref: 00FED8A2
_free.LIBCMT ref: 00FED8AD
_free.LIBCMT ref: 00FED8B8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d6632e52926183d9b920c9900ebd21d0d8d55cbfbc91fd1fa1c4db14a1be4434
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 01115171540B88AAD521BFB2CC47FCB7BEC6F00700F400825B699A6893DA6DB5057651

Function 0101DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0101DA74
LoadStringW.USER32(00000000), ref: 0101DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0101DA91
LoadStringW.USER32(00000000), ref: 0101DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0101DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0101DAB9

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4bad4bec1c95d3a89e666bc70d73ac6664d8b031c5721e537a106e6ee21eab7b
Instruction ID: e70fb2cef8cdf819356c3bb68330ce9cd91c5bd45bc73d132d7bb0cf352de3a4
Opcode Fuzzy Hash: 4bad4bec1c95d3a89e666bc70d73ac6664d8b031c5721e537a106e6ee21eab7b
Instruction Fuzzy Hash: 630162F69002087FF710DBE49FC9EEB376CE708205F404495B786E2045EA79AE844B74

Function 0102096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00ABE798,00ABE798), ref: 0102097B
EnterCriticalSection.KERNEL32(00ABE778,00000000), ref: 0102098D
TerminateThread.KERNEL32(?,000001F6), ref: 0102099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 010209A9
CloseHandle.KERNEL32(?), ref: 010209B8
InterlockedExchange.KERNEL32(00ABE798,000001F6), ref: 010209C8
LeaveCriticalSection.KERNEL32(00ABE778), ref: 010209CF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e63dd1efb1bcb47dff1a29c9cb463de81d1616b16e0ee74dbef4131b781ff3c7
Instruction ID: 19ecaa60ef02c6d75ebc86adce9c0f4603a59a151cdb87e7ffbb69a08a81a50f
Opcode Fuzzy Hash: e63dd1efb1bcb47dff1a29c9cb463de81d1616b16e0ee74dbef4131b781ff3c7
Instruction Fuzzy Hash: 76F01D71543A12BBF7615B94EFC8AD67A25BF05702F401015F24250898C7BA9465CF90

Function 00FB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FB5D30
GetWindowRect.USER32(?,?), ref: 00FB5D71
ScreenToClient.USER32(?,?), ref: 00FB5D99
GetClientRect.USER32(?,?), ref: 00FB5ED7
GetWindowRect.USER32(?,?), ref: 00FB5EF8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 185a1cbc7dafef6ca8e5a8c2efa35cfcc9d540cf5102014076cced287fb993f3
Instruction ID: a61f4db8e5ef0611802e10de6ee7052a5aa9b33c8682dea4ab61b376a9a1a522
Opcode Fuzzy Hash: 185a1cbc7dafef6ca8e5a8c2efa35cfcc9d540cf5102014076cced287fb993f3
Instruction Fuzzy Hash: 93B17839A0064ADBDB10CFA9C5807FAB7F1FF48310F14851AE8A9D7250DB38EA41EB54

Function 00FE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FE00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE00D6
__allrem.LIBCMT ref: 00FE00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE010B
__allrem.LIBCMT ref: 00FE0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE0140

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 026ca594da2dcfc5d8aeb74fabaff42bb8d9d98c81d00ff72e2fe4ccdfb0df03
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 8481F872A007469BE7209F6ACC41B6B73E9AF41334F28463AF551DB3C1EBB8D944A750

Function 01031D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01033149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 01033195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 01031DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01031DE1
WSAGetLastError.WSOCK32 ref: 01031DF2
inet_ntoa.WSOCK32(?), ref: 01031E8C
htons.WSOCK32(?), ref: 01031EDB
_strlen.LIBCMT ref: 01031F35

Part of subcall function 010139E8: _strlen.LIBCMT ref: 010139F2

Part of subcall function 00FB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00FCCF58,?,?,?), ref: 00FB6DBA
Part of subcall function 00FB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00FCCF58,?,?,?), ref: 00FB6DED

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: a0f3f30f1913abf53872da5e7d86f28f6f7f44120fae43ece7f23935e7b2ed87
Instruction ID: 34d9d33825c85bf282a13c0a3d778b44c513832606a666ebd6a19247ea10bb58
Opcode Fuzzy Hash: a0f3f30f1913abf53872da5e7d86f28f6f7f44120fae43ece7f23935e7b2ed87
Instruction Fuzzy Hash: 5CA1E130104301AFD324EF25C885F6A7BE9AFD8318F54898CF5965B2A2CB75ED46CB91

Function 00FE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FD82D9,00FD82D9,?,?,?,00FE644F,00000001,00000001,8BE85006), ref: 00FE6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FE644F,00000001,00000001,8BE85006,?,?,?), ref: 00FE62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FE63D8
__freea.LIBCMT ref: 00FE63E5

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

__freea.LIBCMT ref: 00FE63EE
__freea.LIBCMT ref: 00FE6413

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d9aa46f1f7de38cbbe3f3915fe69d7ed673338f651c1c0efb217984722441edb
Instruction ID: faf0c06a8c78864d18544db5e14937253d1f64a9ca001dba26d767ceb54ff67a
Opcode Fuzzy Hash: d9aa46f1f7de38cbbe3f3915fe69d7ed673338f651c1c0efb217984722441edb
Instruction Fuzzy Hash: 6F51F572A0029AAFEF258F66CC81EAF77A9EF547A0F144229FD05D7240DB34DC40E660

Function 0103BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103BD25
RegCloseKey.ADVAPI32(00000000), ref: 0103BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0103BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0103BDF3
RegCloseKey.ADVAPI32(?), ref: 0103BDFF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: e77758cbbfb34a3b6c3ed8c82f7afcfeb5db7758d439a7c48202ed23f5e94cc9
Instruction ID: 2b0e30936de854faa575d7bb7fff38d4bae99d157c43865404b696fa122200e1
Opcode Fuzzy Hash: e77758cbbfb34a3b6c3ed8c82f7afcfeb5db7758d439a7c48202ed23f5e94cc9
Instruction Fuzzy Hash: 7081B570208241AFD714EF24C885E6ABBE9FF84308F14459DF5954B292DB35ED45CF92

Function 0100F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0100F7B9
SysAllocString.OLEAUT32(00000001), ref: 0100F860
VariantCopy.OLEAUT32(0100FA64,00000000), ref: 0100F889
VariantClear.OLEAUT32(0100FA64), ref: 0100F8AD
VariantCopy.OLEAUT32(0100FA64,00000000), ref: 0100F8B1
VariantClear.OLEAUT32(?), ref: 0100F8BB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 1161287affabc63fe1240ff3f2ea7e9b3a93b0875efce37aabe22981cb724b58
Instruction ID: b8c252ba667cdc0c42d92e7b5ab9960f8fb49a9428a87acb589689e1a1c1ca6e
Opcode Fuzzy Hash: 1161287affabc63fe1240ff3f2ea7e9b3a93b0875efce37aabe22981cb724b58
Instruction Fuzzy Hash: AC512435600312BBEF36AB65D885B6DB3E8EF45310F14845AE942DF2C5DB748840EBA7

Function 0102910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010294E5
_wcslen.LIBCMT ref: 01029506
_wcslen.LIBCMT ref: 0102952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01029585

Strings

X, xrefs: 01029412

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 84e75089a52b9ce28167af90e6f8c4e3945b7260bdcc0ba7ce2f9e3c4badc34b
Instruction ID: 000f5e559b08a338f50056a20ec1322aa5f8ddca5425870be2d4c7fa18a83911
Opcode Fuzzy Hash: 84e75089a52b9ce28167af90e6f8c4e3945b7260bdcc0ba7ce2f9e3c4badc34b
Instruction Fuzzy Hash: 61E1B4716083218FD724DF25C881AAEB7E4BF85314F18856DF9899B2A2DB35DD04CF92

Function 00FC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

BeginPaint.USER32(?,?,?), ref: 00FC9241
GetWindowRect.USER32(?,?), ref: 00FC92A5
ScreenToClient.USER32(?,?), ref: 00FC92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FC92D3
EndPaint.USER32(?,?,?,?,?), ref: 00FC9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010071EA

Part of subcall function 00FC9339: BeginPath.GDI32(00000000), ref: 00FC9357

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c46302045d1f4bb49cedd9a1fd13179838241d3ca5e478fa87909b980a1ba58e
Instruction ID: 7da136d0e22551f5e3423e744b74df9cbf48989d59b267dbd0ace3197f03934e
Opcode Fuzzy Hash: c46302045d1f4bb49cedd9a1fd13179838241d3ca5e478fa87909b980a1ba58e
Instruction Fuzzy Hash: D541A271109201AFE721DF18C989FAA7BA9FF45320F04066DF9D4871E1C77AA845EB61

Function 010207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0102080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01020847
EnterCriticalSection.KERNEL32(?), ref: 01020863
LeaveCriticalSection.KERNEL32(?), ref: 010208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01020921

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b075db677908c437582cf801d9e24d6eaee06343ef478917022644403be18b1d
Instruction ID: c7f5e20f13c9c2346443fbf6fe2dfcf9a7c220c7ff622466f78f5baaff8db022
Opcode Fuzzy Hash: b075db677908c437582cf801d9e24d6eaee06343ef478917022644403be18b1d
Instruction Fuzzy Hash: 8C41CE71A00205EFEF14AF54DD81A6AB7B9FF04300F0480A9FD00AA29BDB75DE14DBA0

Function 010481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0100F3AB,00000000,?,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 0104824C
EnableWindow.USER32(?,00000000), ref: 01048272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010482D1
ShowWindow.USER32(?,00000004), ref: 010482E5
EnableWindow.USER32(?,00000001), ref: 0104830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0104832F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fe1be939eb93577da544e9f1b8965cf32d664d639295ba260cd51e7d17e446ca
Instruction ID: 0665acbd40f1318a130acc5fa02f0a40509473ca6d30bf1dba349c34ac2a6c96
Opcode Fuzzy Hash: fe1be939eb93577da544e9f1b8965cf32d664d639295ba260cd51e7d17e446ca
Instruction Fuzzy Hash: 6141B7B4601644AFEB61CF58C6C9BE87BE0BF09715F1885F6E6D84B263C3366441CB50

Function 010322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010322E8

Part of subcall function 0102E4EC: GetWindowRect.USER32(?,?), ref: 0102E504

GetDesktopWindow.USER32 ref: 01032312
GetWindowRect.USER32(00000000), ref: 01032319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01032355
GetCursorPos.USER32(?), ref: 01032381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010323DF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b71f016fe205c505e3097a6ccf34b29de3fdb796ff9b0888a15d1410bcc73d40
Instruction ID: f296174905ce5a3d0fb34751efb2433791996f312031a76fde2f0c393be9c36a
Opcode Fuzzy Hash: b71f016fe205c505e3097a6ccf34b29de3fdb796ff9b0888a15d1410bcc73d40
Instruction Fuzzy Hash: C531CFB2505305ABD721DF18C944A9BBBEDFFC8310F004A19F9C597181DB35EA08CB92

Function 01014C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01014C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01014CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01014CEA
_wcslen.LIBCMT ref: 01014D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01014D10
_wcsstr.LIBVCRUNTIME ref: 01014D1A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a378de9a7882f0073cb50ff7dbbfbb4ec5af50db9f670c0a0ffade3e213507af
Instruction ID: 087dcd25107fb5444c78694dd6fb639438f68a6eacc45400183a5c746f6858c1
Opcode Fuzzy Hash: a378de9a7882f0073cb50ff7dbbfbb4ec5af50db9f670c0a0ffade3e213507af
Instruction Fuzzy Hash: C52149712042047BFB656B39AD49E7F7BDDDF49710F00806DF845CA1A6EB79D80093A0

Function 0102581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

_wcslen.LIBCMT ref: 0102587B
CoInitialize.OLE32(00000000), ref: 01025995
CoCreateInstance.OLE32(0104FCF8,00000000,00000001,0104FB68,?), ref: 010259AE
CoUninitialize.OLE32 ref: 010259CC

Strings

.lnk, xrefs: 01025876, 010258C1, 01025985

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2368df89892a96c5b9102042b0c959a1b6e0cdcc282edcb6d6d944dc72572f39
Instruction ID: 93dd557dcb1f742013bcc0586aec151e040127b638a65a39983c50f9c78d6406
Opcode Fuzzy Hash: 2368df89892a96c5b9102042b0c959a1b6e0cdcc282edcb6d6d944dc72572f39
Instruction Fuzzy Hash: 71D155746043119FC714DF19C884AAABBE5EF89710F14889DF8899B361DB35EC45CF92

Function 0101175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01010FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01010FCA
Part of subcall function 01010FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01010FD6
Part of subcall function 01010FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01010FE5
Part of subcall function 01010FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01010FEC
Part of subcall function 01010FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01011002

GetLengthSid.ADVAPI32(?,00000000,01011335), ref: 010117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010117BA
HeapAlloc.KERNEL32(00000000), ref: 010117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010117DA
GetProcessHeap.KERNEL32(00000000,00000000,01011335), ref: 010117EE
HeapFree.KERNEL32(00000000), ref: 010117F5

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 505ebd46a3ac81d2c1094df4c501853f254396dcd108fa073fe145c629e4e85b
Instruction ID: aa345e6728056d9b2cd7123a568bffb3733f04037d4a36113f2b01fb5b3be9cb
Opcode Fuzzy Hash: 505ebd46a3ac81d2c1094df4c501853f254396dcd108fa073fe145c629e4e85b
Instruction Fuzzy Hash: A011A275502205FFEB249FA8CE49BAE7BF9FB42255F144098F6C197208C73A9940CB60

Function 010114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010114FF
OpenProcessToken.ADVAPI32(00000000), ref: 01011506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01011515
CloseHandle.KERNEL32(00000004), ref: 01011520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0101154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01011563

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b302b1ca2c4cd93e0424710398aa44e919689e7dc156040b65c8f421c08f0c5f
Instruction ID: 1a15e7f80468fcbf8ac8c6c088a18fe20af40e4002ffac4c167d785a33308818
Opcode Fuzzy Hash: b302b1ca2c4cd93e0424710398aa44e919689e7dc156040b65c8f421c08f0c5f
Instruction Fuzzy Hash: 9A112CB6601209EBEF21CFA8DE49BDE7BA9FF08744F044055FB45A2054C37A8E60DB61

Function 00FD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FD3379,00FD2FE5), ref: 00FD3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FD339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FD33B7
SetLastError.KERNEL32(00000000,?,00FD3379,00FD2FE5), ref: 00FD3409

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8813da73d9da57756babf923bb9d9462ce70132e270f61c26fbbf0fbcc3869ce
Instruction ID: 174d9ddd0234fca27e3897e3b66e442539ba6197ae004aa102e27f9df506b6d5
Opcode Fuzzy Hash: 8813da73d9da57756babf923bb9d9462ce70132e270f61c26fbbf0fbcc3869ce
Instruction Fuzzy Hash: 3801F533A093126FB62526746E89A1A3B56FB06375328022BF610903E0EF1A4E01B2C6

Function 00FE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FE5686,00FF3CD6,?,00000000,?,00FE5B6A,?,?,?,?,?,00FDE6D1,?,01078A48), ref: 00FE2D78
_free.LIBCMT ref: 00FE2DAB
_free.LIBCMT ref: 00FE2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FDE6D1,?,01078A48,00000010,00FB4F4A,?,?,00000000,00FF3CD6), ref: 00FE2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FDE6D1,?,01078A48,00000010,00FB4F4A,?,?,00000000,00FF3CD6), ref: 00FE2DEC
_abort.LIBCMT ref: 00FE2DF2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8a02f0934c56753df3f7f39f5339ce0780f099e14a0d8274187cce73deb7a089
Instruction ID: e99645a74080a6a6e190fca551bad5559383eea2a6b5515e6bc4e02f0d414449
Opcode Fuzzy Hash: 8a02f0934c56753df3f7f39f5339ce0780f099e14a0d8274187cce73deb7a089
Instruction Fuzzy Hash: 20F0F976D0668027D3B2363B7D0AA1E375DABC27B1F254019FA64D2186FE2D89017221

Function 01048A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC9693
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96A2
Part of subcall function 00FC9639: BeginPath.GDI32(?), ref: 00FC96B9
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01048A4E
LineTo.GDI32(?,00000003,00000000), ref: 01048A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01048A70
LineTo.GDI32(?,00000000,00000003), ref: 01048A80
EndPath.GDI32(?), ref: 01048A90
StrokePath.GDI32(?), ref: 01048AA0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1aa3b4483d193ee91d6fee2ac4f04574e830a6aeaebdb87cf77618abcfa068ee
Instruction ID: 93e5269070b3d82d80ca6253bc870abfa8e2369dec701576272025ac34674926
Opcode Fuzzy Hash: 1aa3b4483d193ee91d6fee2ac4f04574e830a6aeaebdb87cf77618abcfa068ee
Instruction Fuzzy Hash: 81115EB600010CBFEF119F94DD88E9A7F6CEF05350F008421FA85951A4C7769D55DF60

Function 010151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01015218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01015229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01015230
ReleaseDC.USER32(00000000,00000000), ref: 01015238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0101524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01015261

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: eb059cddce645b2f41e6f468c402cc6ed2b7f9971f10920560e5c7e1c9c4c699
Instruction ID: a80d0096a62c31cd9b7954e5ad9a1070324a025935508507d071b3464639b84b
Opcode Fuzzy Hash: eb059cddce645b2f41e6f468c402cc6ed2b7f9971f10920560e5c7e1c9c4c699
Instruction Fuzzy Hash: A801A7B5E01705BBFB205BE59D49E5EBFB8EF49351F044065FE44AB284D6759800CFA0

Function 00FB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB1C22

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 578b1261ce220304694877e22799dfb5bc0d9da4e328a045ab74b14f51ecd6ff
Instruction ID: 2272fdebf43359370c8072c01ab4d0f2d8cac844c5f3c90b2e53d32a1043b4ec
Opcode Fuzzy Hash: 578b1261ce220304694877e22799dfb5bc0d9da4e328a045ab74b14f51ecd6ff
Instruction Fuzzy Hash: 8D0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 0101EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0101EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0101EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0101EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101EB75

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e0921b6fbd3a32bcc35182c02b767494189475d7ef986c16150ec2efb8623217
Instruction ID: 54b3398b20694808fd180e624d6d0e7418ec5152ab3c89de944359b957f90f0d
Opcode Fuzzy Hash: e0921b6fbd3a32bcc35182c02b767494189475d7ef986c16150ec2efb8623217
Instruction Fuzzy Hash: 62F06DB6242158BBE73156529E4DEAF3A7CEBCAB11F004158FA41D108496A92A0187B4

Function 01007439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01007452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01007469
GetWindowDC.USER32(?), ref: 01007475
GetPixel.GDI32(00000000,?,?), ref: 01007484
ReleaseDC.USER32(?,00000000), ref: 01007496
GetSysColor.USER32(00000005), ref: 010074B0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3728a9a852bbfd06ed95014887cec8bff8e83b106d658c1bb48b279561232626
Instruction ID: 70dfdd7d178fadd8733f0b11e621297c3292ae9371b0e0ab26647cff6ad79d9c
Opcode Fuzzy Hash: 3728a9a852bbfd06ed95014887cec8bff8e83b106d658c1bb48b279561232626
Instruction Fuzzy Hash: 4B018B75401205EFEB625F64DE48BAE7BB5FF08311F514064F995A20E1CF3A2E41AB50

Function 01011874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0101187F
UnloadUserProfile.USERENV(?,?), ref: 0101188B
CloseHandle.KERNEL32(?), ref: 01011894
CloseHandle.KERNEL32(?), ref: 0101189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010118A5
HeapFree.KERNEL32(00000000), ref: 010118AC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 456ef1671819b7725fc980671c26c9ad5956c80169b735a8baaa0653172f8164
Instruction ID: 9d7674bb7d9cf0e70429098a6c9af42aaeccb68fef332e75f51d74f9491c8562
Opcode Fuzzy Hash: 456ef1671819b7725fc980671c26c9ad5956c80169b735a8baaa0653172f8164
Instruction Fuzzy Hash: CAE0EDBA105501BBE7215FA1EF4C905BF39FF4A7227108220F26581078CB375420DB50

Function 0101C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0101C6EE
_wcslen.LIBCMT ref: 0101C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0101C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0101C7CA

Strings

0, xrefs: 0101C6AF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 96da3e6a9866c666a2504b283e7a947750e2cb3acca4c01bef73b713bed95779
Instruction ID: a31b8985ee6d757295bc0be144158d90798f4a70635af5f38a5773b8632b2c1e
Opcode Fuzzy Hash: 96da3e6a9866c666a2504b283e7a947750e2cb3acca4c01bef73b713bed95779
Instruction Fuzzy Hash: 6851E2716843019BF7919E28CA85B6EBBE4BF49310F04096DFAD6D2195DBBCD804CB52

Function 0101719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01017206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0101723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0101724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010172CF

Strings

DllGetClassObject, xrefs: 01017242

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad81f5ea9dd597a907e9ddf3546187038a7a7bc74279a95bced8f9f648879653
Instruction ID: 9e125bda13854c1605e3fbdd0de7fe3ce8d33b9ab72eec68f781f84a366ac8c7
Opcode Fuzzy Hash: ad81f5ea9dd597a907e9ddf3546187038a7a7bc74279a95bced8f9f648879653
Instruction Fuzzy Hash: 2F416EB1A00204AFDB25CF94C984ADA7FA9EF49310F1480ADFD459F20DD7B9D945CBA0

Function 01043D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01043E35
IsMenu.USER32(?), ref: 01043E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01043E92
DrawMenuBar.USER32 ref: 01043EA5

Strings

0, xrefs: 01043D89

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a66b24b8b7a7bc645fd023374eb602e29921034ec2f861b77274770dd3473859
Instruction ID: 16a2da9fddc7a5351727ffdbf13f3b5a79b1916553ef516e0ee7de22b1ef075b
Opcode Fuzzy Hash: a66b24b8b7a7bc645fd023374eb602e29921034ec2f861b77274770dd3473859
Instruction Fuzzy Hash: 97418AB4A02219AFEB20DF55D8C0AAEBBF5FF48350F044069E9959B280D335A941CF90

Function 01011DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01011E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01011E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01011EA9

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Strings

ComboBox, xrefs: 01011DF0
ListBox, xrefs: 01011E25

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b31aa95c8677ef44fff5fde27d2e122970a1d338eec2527b59a54d9766a6c7de
Instruction ID: f4022adff907f6690d519f034b3039043164d512d3615f9c91d33a34eef924c1
Opcode Fuzzy Hash: b31aa95c8677ef44fff5fde27d2e122970a1d338eec2527b59a54d9766a6c7de
Instruction Fuzzy Hash: 892146B1A00108ABEB18ABB5DD85CFFBBF8EF45350B004019F691971D5DB3C49099A20

Function 0103C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103C9F1
_wcslen.LIBCMT ref: 0103CA68
_wcslen.LIBCMT ref: 0103CA9E
_wcslen.LIBCMT ref: 0103CAF9
_wcslen.LIBCMT ref: 0103CB2F
_wcslen.LIBCMT ref: 0103CB7F

Strings

HKLM, xrefs: 0103CA98, 0103CA9D
HKEY_LOCAL_MACHINE, xrefs: 0103CA62, 0103CA67

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: aec8cd0cee933ecde509f05ce2876ef0665e2777ff510d36c30bc53373ecc130
Instruction ID: 608d9d2017a5d7b19515ce0c67050ccd5f93a9b6303f63d51233cd654da3ede0
Opcode Fuzzy Hash: aec8cd0cee933ecde509f05ce2876ef0665e2777ff510d36c30bc53373ecc130
Instruction Fuzzy Hash: D1313973A009614BEB61EF2DDE500BE37D95BD1688F15409BE8C1FB34AEA71CD4293A0

Function 01042F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01042F8D
LoadLibraryW.KERNEL32(?), ref: 01042F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01042FA9
DestroyWindow.USER32(?), ref: 01042FB1

Strings

SysAnimate32, xrefs: 01042F68

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 8bb910d8fda42157a4e7aecf6c59afce0c5dfa11506a949ae4825b9ec170e7e1
Instruction ID: e5f58bf248f8c988e75e84680def7dc48fac58848e103cf87334c515215ebd48
Opcode Fuzzy Hash: 8bb910d8fda42157a4e7aecf6c59afce0c5dfa11506a949ae4825b9ec170e7e1
Instruction Fuzzy Hash: F121DEB1300209ABEB214E68ECC0EBB3BA9EB48364F504278FA90D2091C372EC419760

Function 00FD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FD4D1E,00FE28E9,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002), ref: 00FD4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FD4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FD4D1E,00FE28E9,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002,00000000), ref: 00FD4DC3

Strings

mscoree.dll, xrefs: 00FD4D86
CorExitProcess, xrefs: 00FD4D98

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fd2d4744d1f2f205fbb063bd891fb5ffd138eff7392096b69adc96dd6a70a3fd
Instruction ID: 44d3905c96a8fc9279102ac3059f8464e27b10b80c6d88ae12a1518c5b9483ad
Opcode Fuzzy Hash: fd2d4744d1f2f205fbb063bd891fb5ffd138eff7392096b69adc96dd6a70a3fd
Instruction Fuzzy Hash: 58F0A474901208BBEB219F90D949BAEBFB6EF04711F040059F845A2254CB355940DB90

Function 0100D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0100D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0100D3BF
FreeLibrary.KERNEL32(00000000), ref: 0100D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0100D3B9
X64, xrefs: 0100D2A8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 73ae6075cbdac3a0c9f2c299308600f1c15381370f6473e8facf2dbd82024cca
Instruction ID: e0450fce7df5dea39510a0a89aa6de3335f4a0ccfa8e829dc27f37c822884234
Opcode Fuzzy Hash: 73ae6075cbdac3a0c9f2c299308600f1c15381370f6473e8facf2dbd82024cca
Instruction Fuzzy Hash: 48F0ECF6807511EBF77316D48EA8A5DB754AF21711F44C199F5C1F1089D730C94087B5

Function 00FB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB4EAE
FreeLibrary.KERNEL32(00000000,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4EC0

Strings

kernel32.dll, xrefs: 00FB4E94
Wow64DisableWow64FsRedirection, xrefs: 00FB4EA8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebaffc34eaad8f2c0c9734adf0a5ccaf7ffbabe9e7526935e2aa2b9f90ea895a
Instruction ID: 51bf79ac5a5e4488bd8078d1b13a2dd845d1e316dab4edd1effd0882b044ca12
Opcode Fuzzy Hash: ebaffc34eaad8f2c0c9734adf0a5ccaf7ffbabe9e7526935e2aa2b9f90ea895a
Instruction Fuzzy Hash: F9E0CDB9E035225BF331172B6F58B9F7554AF82F72B050115FC40D6505DB75DC019AE1

Function 00FB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4E74
FreeLibrary.KERNEL32(00000000,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E87

Strings

kernel32.dll, xrefs: 00FB4E5B
Wow64RevertWow64FsRedirection, xrefs: 00FB4E6E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 31cf329813335ee0eca06401c18e4f21ee5499bac5bb6de1107349626e6e0754
Instruction ID: 0f59065571f85838a0c17b644b05936c576652ba6fcfde8c7ff69ba1bb04a6fc
Opcode Fuzzy Hash: 31cf329813335ee0eca06401c18e4f21ee5499bac5bb6de1107349626e6e0754
Instruction Fuzzy Hash: 6AD0C2B9D03A215767321B266B18ECB2B18AF82B213050124B840A6118CF26DD01EAE0

Function 01022947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01022C05
DeleteFileW.KERNEL32(?), ref: 01022C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01022C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01022CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01022CC0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 52a8237f0992f17282d99d7e016a5c4561ed551442f1281a644bae0950e9b59a
Instruction ID: 4454a42e06dea6b9514a4008952dd099d8cebb6c2ede8040e1e97a1d5ac0ed35
Opcode Fuzzy Hash: 52a8237f0992f17282d99d7e016a5c4561ed551442f1281a644bae0950e9b59a
Instruction Fuzzy Hash: EAB15D72900129ABDF21EBE4CD85EDEBBBDEF48350F1040A6F649A7141EA359A448F61

Function 0103A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0103A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0103A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0103A468
CloseHandle.KERNEL32(?), ref: 0103A63D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 158ae974d5f6037cda8bee9b91d046734df826a434c51a4d69bd76ef600d9cc2
Instruction ID: b4d231edb12c41bf356f03f0b7ec0de7484956592c0ef9bc2e12fb439479d026
Opcode Fuzzy Hash: 158ae974d5f6037cda8bee9b91d046734df826a434c51a4d69bd76ef600d9cc2
Instruction Fuzzy Hash: 9CA1B071604301AFE720DF29C986F2AB7E5AF88714F14885CF59ADB2D2DB74EC418B91

Function 0101E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0101CF22,?), ref: 0101DDFD

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0101CF22,?), ref: 0101DE16

Part of subcall function 0101E199: GetFileAttributesW.KERNEL32(?,0101CF95), ref: 0101E19A

lstrcmpiW.KERNEL32(?,?), ref: 0101E473
MoveFileW.KERNEL32(?,?), ref: 0101E4AC
_wcslen.LIBCMT ref: 0101E5EB
_wcslen.LIBCMT ref: 0101E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0101E650

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e0da860de1f890b3381484806e6ca77cf18cdc0356488c44ca397ec46b4285ab
Instruction ID: 5f4361283c815b5b9d05ca07dfe232bd8fdc6c537d032ff015d0ea5050511f8d
Opcode Fuzzy Hash: e0da860de1f890b3381484806e6ca77cf18cdc0356488c44ca397ec46b4285ab
Instruction Fuzzy Hash: D65180B24083459BD765EBA4DC809DF77ECAF84340F00491EEAC9D3145EE78E2888B66

Function 0103B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0103BB63
RegCloseKey.ADVAPI32(?,?), ref: 0103BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0103BBB3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f8548e69a747345c3ba6abae73aaef9984be5638406fd0f907c4fddce256480f
Instruction ID: 9737f4aa2693c3230dcca1c2647a0d0e00168365656be521d3a32cfc0f401709
Opcode Fuzzy Hash: f8548e69a747345c3ba6abae73aaef9984be5638406fd0f907c4fddce256480f
Instruction Fuzzy Hash: 7961B171208201AFD324DF14C890E6ABBE9FF84308F54859DF5998B292CB75ED45CB92

Function 01018BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01018BCD
VariantClear.OLEAUT32 ref: 01018C3E
VariantClear.OLEAUT32 ref: 01018C9D
VariantClear.OLEAUT32(?), ref: 01018D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01018D3B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8c8ad6e68ca53de36dc1a108329d98edd1d5c1f5157f5c7cd1a46d13dae8977c
Instruction ID: 83822d41ba9070006524ba6143e1c7f7a4bbfdd74684e93a158bb5848bea2275
Opcode Fuzzy Hash: 8c8ad6e68ca53de36dc1a108329d98edd1d5c1f5157f5c7cd1a46d13dae8977c
Instruction Fuzzy Hash: 32515AB5A00219EFDB10DF68C884AAABBF4FF89310F05855AF945DB314E734EA11CB90

Function 01028AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01028BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01028BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01028C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01028C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01028C5F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d398d6ef878fff29c39c18388f7a0fa6f47d8b53fbefe8f47728256be1ca8dff
Instruction ID: 2e3660945fa76a481438edf7ffe869f6c9c1a40f017e24800eaab7697e8f92e2
Opcode Fuzzy Hash: d398d6ef878fff29c39c18388f7a0fa6f47d8b53fbefe8f47728256be1ca8dff
Instruction Fuzzy Hash: EF514B79A002199FDB11DF65C981AA9BBF5FF48314F088099E849AB362CB35ED41DF90

Function 01038EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01038F40
GetProcAddress.KERNEL32(00000000,?), ref: 01038FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01038FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01039032
FreeLibrary.KERNEL32(00000000), ref: 01039052

Part of subcall function 00FCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01021043,?,753CE610), ref: 00FCF6E6
Part of subcall function 00FCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0100FA64,00000000,00000000,?,?,01021043,?,753CE610,?,0100FA64), ref: 00FCF70D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 6d19b787f82324122c33fbf11d36e4c8e6105112daa4689b62c93a436dc2bdd7
Instruction ID: 3c772d0a1450ff8e27f9cbab838c6af8f36ab722ea68fd761b5871131c0a685a
Opcode Fuzzy Hash: 6d19b787f82324122c33fbf11d36e4c8e6105112daa4689b62c93a436dc2bdd7
Instruction Fuzzy Hash: A45136386052059FCB11DF68C4848ADBBF5FF89314B0881A9F94A9B362D775ED85CF90

Function 01046B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01046C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01046C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01046C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0102AB79,00000000,00000000), ref: 01046C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01046CC7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: fcb8ae65498d679613af6b2a9010fef793a5897c1f23b4c2f16ef4e9f6fb9453
Instruction ID: cca5d27055173f08f7d4d5eacbb1b41431408c04abd391dc579bf53c94a2ccb6
Opcode Fuzzy Hash: fcb8ae65498d679613af6b2a9010fef793a5897c1f23b4c2f16ef4e9f6fb9453
Instruction Fuzzy Hash: 6B41A3B5A04108AFE724CE68C9D4BB97FA5EB0A350F0402B4E995A7291E372AD41CA84

Function 00FE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE20C3
_free.LIBCMT ref: 00FE20E3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 283de9b11c5b2c695ca1fa9cd06f0e88684e7f8d93bcfd33a1c8331056415b46
Instruction ID: 1053e40fd09e2468c5e9aa521a116324e353b1e2989350a0398d8b6914507e52
Opcode Fuzzy Hash: 283de9b11c5b2c695ca1fa9cd06f0e88684e7f8d93bcfd33a1c8331056415b46
Instruction Fuzzy Hash: EB410632E002049FDB24DF79C981A5DB3F9EF89320F154569E615EB392E735AE01EB80

Function 00FC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC9141
ScreenToClient.USER32(00000000,?), ref: 00FC915E
GetAsyncKeyState.USER32(00000001), ref: 00FC9183
GetAsyncKeyState.USER32(00000002), ref: 00FC919D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 06fe3ddcdc5a26927dfbdab399915ef4b83bd238b9764d401b617be8afb2891a
Instruction ID: c467531c8030bf65e00d505edbdaacbdaf608fd1a81f431669eeebf0efe6b137
Opcode Fuzzy Hash: 06fe3ddcdc5a26927dfbdab399915ef4b83bd238b9764d401b617be8afb2891a
Instruction Fuzzy Hash: 9141F571A0810BFBEF169F68C949BEEB7B1FF05320F104229E4A5A32D0C7746950CB91

Function 01023874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01023922
TranslateMessage.USER32(?), ref: 0102394B
DispatchMessageW.USER32(?), ref: 01023955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01023966

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0c2f25f26221b5239f9794758379a2098dc311e1259af87f9b6bc2b6d2872810
Instruction ID: da1d66438be5ddba7e7a2e8b369c84ed6db954418d13105c78219a240c023d45
Opcode Fuzzy Hash: 0c2f25f26221b5239f9794758379a2098dc311e1259af87f9b6bc2b6d2872810
Instruction Fuzzy Hash: AD31A870608352EFFB75CB389549BBA3BE8BB0E304F044599D5D28A185D77E9085CB11

Function 01011901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01011915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010119E2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 478831280b7458bbc6627850c36e28e15751e21e3a78a796f04f2b85170ff7b3
Instruction ID: 40943751dba4e39aaa225a6e5c11af7b2ad9f48870a8284692758228738f6e81
Opcode Fuzzy Hash: 478831280b7458bbc6627850c36e28e15751e21e3a78a796f04f2b85170ff7b3
Instruction Fuzzy Hash: FE31D6B5900219EFDB14CFBCDA88ADE3BB6EB05315F004265FAB1A72D5C7749944CB90

Function 01045706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01045745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0104579D
_wcslen.LIBCMT ref: 010457AF
_wcslen.LIBCMT ref: 010457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01045816

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: cc7a12f8519fabe231e4e44bcd87be1c5228636f7ba6a8de1b72ead5f1e7cec6
Instruction ID: 9e88f39083118262effc66851a01033b31d14a5d9b25e0983c1e28303b0324fc
Opcode Fuzzy Hash: cc7a12f8519fabe231e4e44bcd87be1c5228636f7ba6a8de1b72ead5f1e7cec6
Instruction Fuzzy Hash: 2321A5F59042189BEB20DF64DCC5AEE7BB8FF45324F008276EA99EA180D7749585CF50

Function 01030930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01030951
GetForegroundWindow.USER32 ref: 01030968
GetDC.USER32(00000000), ref: 010309A4
GetPixel.GDI32(00000000,?,00000003), ref: 010309B0
ReleaseDC.USER32(00000000,00000003), ref: 010309E8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e6289f3c9f01a7ab1b5f4e25fd633c43bd2b67cf915ba4aaafd7d571879c9e8f
Instruction ID: 9cb82b626d749192ca0b4854dc130e9716d407a08e040323c79e25b0c07f7cfd
Opcode Fuzzy Hash: e6289f3c9f01a7ab1b5f4e25fd633c43bd2b67cf915ba4aaafd7d571879c9e8f
Instruction Fuzzy Hash: 2321A179600214AFE714EF65C984AAEBBF9FF48710F048069F88A97355CB75AD04CB50

Function 00FECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FECDE9

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FECE0F
_free.LIBCMT ref: 00FECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FECE31

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 308f23fdc4906bae297b1ccb799b694296f3a4b2d747c9fdef5a7fe1fe952514
Instruction ID: 21de6e8f16a5abd808928883055a3ead8dec81bc37c6a25ac1378e7e44e924f2
Opcode Fuzzy Hash: 308f23fdc4906bae297b1ccb799b694296f3a4b2d747c9fdef5a7fe1fe952514
Instruction Fuzzy Hash: 4601D4B3A022957F333116BB6D8CD7F796DDEC6FA13150129F905D7200EA668E02A2F0

Function 00FC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC9693
SelectObject.GDI32(?,00000000), ref: 00FC96A2
BeginPath.GDI32(?), ref: 00FC96B9
SelectObject.GDI32(?,00000000), ref: 00FC96E2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 06705fd9a312e242498687109d6864996a3b02750efe167ce9909fbc740f04d9
Instruction ID: ab1cb4fcb52671d1f6ab78aeed4d9631981cc546092d1df45ade9bc254bc9276
Opcode Fuzzy Hash: 06705fd9a312e242498687109d6864996a3b02750efe167ce9909fbc740f04d9
Instruction Fuzzy Hash: 4C21C87181A306EFEB218F54DA49BAD3BA4BF11325F104259F4D0A21D4D3BA5842EF90

Function 01015711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01015726
_memcmp.LIBVCRUNTIME ref: 01015744
_memcmp.LIBVCRUNTIME ref: 01015757
_memcmp.LIBVCRUNTIME ref: 0101576F
_memcmp.LIBVCRUNTIME ref: 01015787

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 31e1d3f47b920e14478b1b1280091b21bde65470cf494c26e0368a933880c243
Instruction ID: 448d6f49243765a30458e43e1ace726a7ca37bf6aabd352da39dae62248e572d
Opcode Fuzzy Hash: 31e1d3f47b920e14478b1b1280091b21bde65470cf494c26e0368a933880c243
Instruction Fuzzy Hash: BD01B5E564120ABBE2485519AE83FBB739DBB923A4F044025FD849E206F768ED1096E4

Function 00FE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FDF2DE,00FE3863,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6), ref: 00FE2DFD
_free.LIBCMT ref: 00FE2E32
_free.LIBCMT ref: 00FE2E59
SetLastError.KERNEL32(00000000,00FB1129), ref: 00FE2E66
SetLastError.KERNEL32(00000000,00FB1129), ref: 00FE2E6F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6ff1ea1851743f2391edf07d6d4ad92cb354f4ca777403de0faf81d91c6645c4
Instruction ID: c5791446151eb6b777cc0111172de7e30ebff2364528751ed2b2b2d77e2c9436
Opcode Fuzzy Hash: 6ff1ea1851743f2391edf07d6d4ad92cb354f4ca777403de0faf81d91c6645c4
Instruction Fuzzy Hash: 49017D779066D027D76226376D8AD2F376DABC1371B354028F490A3186FF3D8C007120

Function 0101000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?,?,0101035E), ref: 0101002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?), ref: 01010064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010070

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ab98307055b3c1e37b0cc5fb9aef048be43f49bb54f51ced3ce4e3f3798b5dc8
Instruction ID: dece58df05c3487851917972a6b0bd671fc611965d8f58cab49534219908aa04
Opcode Fuzzy Hash: ab98307055b3c1e37b0cc5fb9aef048be43f49bb54f51ced3ce4e3f3798b5dc8
Instruction Fuzzy Hash: F50184B6601205BFFB214F68DD44BAA7EEDEB44661F144118F9C5D2208E77ADA808760

Function 0101E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0101E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0101E9A5
Sleep.KERNEL32(00000000), ref: 0101E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0101E9B7
Sleep.KERNEL32 ref: 0101E9F3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: afca01d70249ca72f991e66c4cf54544a69984cbe60a5311f55888fd93b232f7
Instruction ID: 2a9f290ffaf862957a4b7d1b86dc26d1b5361b57c2383d1adefc37ac19497064
Opcode Fuzzy Hash: afca01d70249ca72f991e66c4cf54544a69984cbe60a5311f55888fd93b232f7
Instruction Fuzzy Hash: 01018775C0262DDBDF51ABE4DA88AEDBB79BF09700F000546E982B2248CB3995408BA1

Function 010110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01011114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 0101112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101114D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 57aa965f784cfa577d9ef4f5ffb07deab41dbcf2bf4a240ba16c8c789941a1bd
Instruction ID: 333897b95f0d887bcb6831679c31ccce2f351feb8608202d7c9c8918e86551a9
Opcode Fuzzy Hash: 57aa965f784cfa577d9ef4f5ffb07deab41dbcf2bf4a240ba16c8c789941a1bd
Instruction Fuzzy Hash: 000181B9101205BFEB654FA9DE89E6A3FAEFF86264B100454FA81C3354DB36DC008B60

Function 01010FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01010FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01010FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01010FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01010FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01011002

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 07ad69463d69f417952cde7d7b35cf253099c3f2e1d46745bafd59d6122e0f87
Instruction ID: 27bfed43911b5bd3f74573274e421429d554c878795f51d80de5bc58fb20fdfb
Opcode Fuzzy Hash: 07ad69463d69f417952cde7d7b35cf253099c3f2e1d46745bafd59d6122e0f87
Instruction Fuzzy Hash: 8CF0C279202301ABE7220FA8DE8DF563FADEF8A762F100414FA85C7244CA79D8408B60

Function 01011014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0101102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01011036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0101104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011062

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8d5d579ffc416dbfde319c9c88d1fd74278e1046b01a451d644cdd6fdbacfd96
Instruction ID: 0599b31e41b9c09aaa38d150de413419c0f66d92b56fa6db8695b1f576a21d5a
Opcode Fuzzy Hash: 8d5d579ffc416dbfde319c9c88d1fd74278e1046b01a451d644cdd6fdbacfd96
Instruction Fuzzy Hash: D2F0C279202301ABE7221FA9EE88F563FADEF8A661F100414FA85C7244CA79D850CB60

Function 0102030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020324
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020331
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 0102033E
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 0102034B
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020358
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020365

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 64f8dee81ae23c19a6d5160a6bcc37c6f70c054d3f6b045d0a016da3db98f83c
Instruction ID: 40a4cc1a6049d10d24ad5951ffec8dfcff62583fcbbd422ba3f66ce0ea8ce3e3
Opcode Fuzzy Hash: 64f8dee81ae23c19a6d5160a6bcc37c6f70c054d3f6b045d0a016da3db98f83c
Instruction Fuzzy Hash: AF019072801B259FD7309F6AD880413FBF9BE502153158A7EE29652931C371A954CF80

Function 00FED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FED752

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FED764
_free.LIBCMT ref: 00FED776
_free.LIBCMT ref: 00FED788
_free.LIBCMT ref: 00FED79A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e29d051c6813dccb64224551096c2fba74a0f458b32da4f0ad00f5017d8151
Instruction ID: f0d8279ca24b0af2952dea27763cb8e26bf14f6d34095ef47fed61ee0a63367c
Opcode Fuzzy Hash: d5e29d051c6813dccb64224551096c2fba74a0f458b32da4f0ad00f5017d8151
Instruction Fuzzy Hash: 45F06832D002896B86A5EB5AF9C6C1A77EDBB04330B951809F084E7906D73DFC406761

Function 01015C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01015C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01015C6F
MessageBeep.USER32(00000000), ref: 01015C87
KillTimer.USER32(?,0000040A), ref: 01015CA3
EndDialog.USER32(?,00000001), ref: 01015CBD

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c45e835be2edc8084b2d932e572713b4db6ebbf9efc7ebe4e2b605fa34fd2c90
Instruction ID: 732f77264bd3464e83097232c9096bfdde9213b8dd0a7adbe890caf41f5d3e4e
Opcode Fuzzy Hash: c45e835be2edc8084b2d932e572713b4db6ebbf9efc7ebe4e2b605fa34fd2c90
Instruction Fuzzy Hash: 4901A274501708AFFB305F10DF8EFA67BB8BB45B05F040299A6C2A50D5DBF9A9848B90

Function 00FE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE22BE

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FE22D0
_free.LIBCMT ref: 00FE22E3
_free.LIBCMT ref: 00FE22F4
_free.LIBCMT ref: 00FE2305

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fbc1f1e344200b0094c6a67e3d0c3aaeb9fe4dabcca6a32c65794dedcaaea052
Instruction ID: a558ab96f0b13fbb97a2cbadfe401c3a66f5fd483dfc59f3eee53406c8b51020
Opcode Fuzzy Hash: fbc1f1e344200b0094c6a67e3d0c3aaeb9fe4dabcca6a32c65794dedcaaea052
Instruction Fuzzy Hash: D5F030B18041558B97B2AF59F80280C3B78BB187707015506F4D0D626FD73E1412BBA6

Function 00FC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FC95D4
StrokeAndFillPath.GDI32(?,?,010071F7,00000000,?,?,?), ref: 00FC95F0
SelectObject.GDI32(?,00000000), ref: 00FC9603
DeleteObject.GDI32 ref: 00FC9616
StrokePath.GDI32(?), ref: 00FC9631

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: dc17992c7443122473d604b016ef1bbaba73f3ce86d360cba076d7db1bd2a205
Instruction ID: be57289b4585dc9a5aa08c7a0f0d184672a38b70cf70c542f58deb5c21d6d752
Opcode Fuzzy Hash: dc17992c7443122473d604b016ef1bbaba73f3ce86d360cba076d7db1bd2a205
Instruction Fuzzy Hash: ACF03C3540E605AFEB365F65EB4DB683B61AB11332F048218F4E5550F8CB7A8992EF20

Function 00FE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FE10F9
__freea.LIBCMT ref: 00FE1117

Part of subcall function 00FE1537: _free.LIBCMT ref: 00FE154F

Strings

am/pm, xrefs: 00FE117A
a/p, xrefs: 00FE11DE

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3d75d5e5e11928e224e1d053e2116617f478c4f0840e90207e41e9a87e89bd1a
Instruction ID: c84eeb388d7708f3e9ef833935927d09957751602a5b1e542a24c37c398d0b66
Opcode Fuzzy Hash: 3d75d5e5e11928e224e1d053e2116617f478c4f0840e90207e41e9a87e89bd1a
Instruction Fuzzy Hash: 3FD10572D00286CEDB249F6BC845BFEB7B5FF05320F28015AEA019B654D7799D80EB91

Function 01037B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FD0242: EnterCriticalSection.KERNEL32(0108070C,01081884,?,?,00FC198B,01082518,?,?,?,00FB12F9,00000000), ref: 00FD024D
Part of subcall function 00FD0242: LeaveCriticalSection.KERNEL32(0108070C,?,00FC198B,01082518,?,?,?,00FB12F9,00000000), ref: 00FD028A

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 00FD00A3: __onexit.LIBCMT ref: 00FD00A9

__Init_thread_footer.LIBCMT ref: 01037BFB

Part of subcall function 00FD01F8: EnterCriticalSection.KERNEL32(0108070C,?,?,00FC8747,01082514), ref: 00FD0202
Part of subcall function 00FD01F8: LeaveCriticalSection.KERNEL32(0108070C,?,00FC8747,01082514), ref: 00FD0235

Strings

Variable must be of type 'Object'., xrefs: 01037C3A
5, xrefs: 01037C78
G, xrefs: 01037C7F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: b64d8f523ff08e375e4eeb9026a5ca87365cd46004f304325e0236c0a74a6e8f
Instruction ID: 3a37d04a0058e8654379e2a6c8133dd272efdd2757421b0a5ec0089a7569f5f5
Opcode Fuzzy Hash: b64d8f523ff08e375e4eeb9026a5ca87365cd46004f304325e0236c0a74a6e8f
Instruction Fuzzy Hash: 8B918FB1A00209EFCB05EF59D894DADB7B9FF89300F14809DF9865B252DB71AE41CB51

Function 01012716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010121D0,?,?,00000034,00000800,?,00000034), ref: 0101B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01012760

Part of subcall function 0101B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0101B3F8

Part of subcall function 0101B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0101B355
Part of subcall function 0101B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01012194,00000034,?,?,00001004,00000000,00000000), ref: 0101B365
Part of subcall function 0101B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01012194,00000034,?,?,00001004,00000000,00000000), ref: 0101B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0101281A

Strings

@, xrefs: 01012832

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5cde73fc3d4a3de9f1c99f97438ae22a11d4d8e49ad0fd1f6a6dcb88e4b97657
Instruction ID: f5648bea0781aeeed60c642b3a35b16865f0275fac73a8c3f7e0eb61bf008d6d
Opcode Fuzzy Hash: 5cde73fc3d4a3de9f1c99f97438ae22a11d4d8e49ad0fd1f6a6dcb88e4b97657
Instruction Fuzzy Hash: C3416D76901218BFDB10DFA4CD81AEEBBB8EF19300F108095FA95B7184DB746E45CBA0

Function 00FE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FE1769
_free.LIBCMT ref: 00FE1834
_free.LIBCMT ref: 00FE183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FE1760, 00FE1767, 00FE1796, 00FE17CE

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 8151b9ae01661c8fdf1b11ee61e0ebcc1dfb628abcd007fbf6a5c519a4671bc0
Instruction ID: 4acbcabbab70fbd1ffa08fe17ec52006fa3107d644b95c9b8de53c1d90ed9702
Opcode Fuzzy Hash: 8151b9ae01661c8fdf1b11ee61e0ebcc1dfb628abcd007fbf6a5c519a4671bc0
Instruction Fuzzy Hash: 01318F71E04298AFDB21DF9B9C81D9EBBBCFF85720B144166F84497201D6748E41EB90

Function 0101C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0101C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0101C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01081990,00AC5B28), ref: 0101C395

Strings

0, xrefs: 0101C2DF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a61c69256397a6119006a8c39c751b137182ee7544639a4cac86ade8ee5a6bfb
Instruction ID: 052782f96603d52affeb3d27c2bf2775e737b76a5cb952b904eb725e1441cf49
Opcode Fuzzy Hash: a61c69256397a6119006a8c39c751b137182ee7544639a4cac86ade8ee5a6bfb
Instruction Fuzzy Hash: F141E3712443029FE724DF29D984B5ABBE8AF85310F04865EF9E5972C5D738E604CB52

Function 01044416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0104CC08,00000000,?,?,?,?), ref: 010444AA
GetWindowLongW.USER32 ref: 010444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010444D7

Strings

SysTreeView32, xrefs: 0104447C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5c34f54e81bfe6553d8fa222da00573a77f8d23fbae6a1f3f36145cb8d85b0b6
Instruction ID: 56cbe57524a927eadbe5668ee3af0e9efb6ac562c893c36c015e7aaac0e7624c
Opcode Fuzzy Hash: 5c34f54e81bfe6553d8fa222da00573a77f8d23fbae6a1f3f36145cb8d85b0b6
Instruction Fuzzy Hash: 3631C2B1210205AFEF618E38DC85BDA7BA9EB48334F208725F9B5D21D1DB74E8509B50

Function 0103304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01033077,?,?), ref: 01033378

inet_addr.WSOCK32(?), ref: 0103307A
_wcslen.LIBCMT ref: 0103309B
htons.WSOCK32(00000000), ref: 01033106

Strings

255.255.255.255, xrefs: 01033095, 0103309A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 051b0f2e343f47c66653f4f92fd7aaeaecff85380191772714189ea91d0bd695
Instruction ID: aa9b8729c29bf2652f247288ee4762b6a50ec7847b19a4799f8bca5e3ebaa419
Opcode Fuzzy Hash: 051b0f2e343f47c66653f4f92fd7aaeaecff85380191772714189ea91d0bd695
Instruction Fuzzy Hash: 9E31D2396042019FD720CF2DC5D5AAABBF8FF94318F148099E9968F392DB76E941C760

Function 01043EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01043F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01043F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01043F78

Strings

SysMonthCal32, xrefs: 01043F0B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f3f12b4295c68ed347795d6f4bae933477ff948da38d140ea5f89aeb0332aacb
Instruction ID: 8b9672f1161d6df49e66161699c3febececa679febb5f87a5efe870e63141690
Opcode Fuzzy Hash: f3f12b4295c68ed347795d6f4bae933477ff948da38d140ea5f89aeb0332aacb
Instruction Fuzzy Hash: 4821B172600229BFEF229E54CC86FEA3BB5FF48714F111154FE95AB1C0D6B5A8508B90

Function 01044653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01044705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01044713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0104471A

Strings

msctls_updown32, xrefs: 01044684

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 49575626c6157dbb88810cf23a6a5187d3864a07e3350d81750c86381f3b048f
Instruction ID: 102564006b4a2f49e6dff30bd519149455adabcaa6d26d98493783e48cb7a8f0
Opcode Fuzzy Hash: 49575626c6157dbb88810cf23a6a5187d3864a07e3350d81750c86381f3b048f
Instruction Fuzzy Hash: 44211BB5600209AFEB11DF68DCC1DAA37ADEF4A294B040499FA94DB251CA75EC12DB60

Function 010195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101961D

Strings

#OnAutoItStartRegister, xrefs: 010195F3
#requireadmin, xrefs: 010195D9
#notrayicon, xrefs: 010195B7

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 656b8757cfc370e3a428b475217d35ffd9cd3a7f0b0800e4c8bd4ab31c1ad206
Instruction ID: ebc85b98bbcd5a199ba6b4f68e74056dd24b19ac0dd925254f6e0ea7e610d594
Opcode Fuzzy Hash: 656b8757cfc370e3a428b475217d35ffd9cd3a7f0b0800e4c8bd4ab31c1ad206
Instruction Fuzzy Hash: A521A07210421167E331BB2D9C22FBB73DD9F95308F05442AFAC597146EB5CA941D3E1

Function 010437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01043840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01043850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01043876

Strings

Listbox, xrefs: 0104380F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fb20632f5fa42170b394d6b256abe9b351402b388d0121521d616e81067797fb
Instruction ID: ff2c0eabce95729e276bf5c331bce290e3cdc4caba16ce3dd6f3598801215d32
Opcode Fuzzy Hash: fb20632f5fa42170b394d6b256abe9b351402b388d0121521d616e81067797fb
Instruction Fuzzy Hash: F421B3B2610228BBEB22CE59CC85EAB37AEFF89750F109164F9849B190C675DC518790

Function 010249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01024A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01024A5C
SetErrorMode.KERNEL32(00000000,?,?,0104CC08), ref: 01024AD0

Strings

%lu, xrefs: 01024A6F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1e08a4aad0f8cf7a55de883127223af5551bafb5bb990614ac1aba84c1a63943
Instruction ID: 4df27189fd2411a8cd1c8dd4105e1188d988b3e4df022df275d6b1281e1a8c0d
Opcode Fuzzy Hash: 1e08a4aad0f8cf7a55de883127223af5551bafb5bb990614ac1aba84c1a63943
Instruction Fuzzy Hash: C2318F74A00109AFDB10DF54C9C5EAA7BF8EF08308F1480A9E949DB252D775ED45CB61

Function 010441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0104424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01044264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01044271

Strings

msctls_trackbar32, xrefs: 01044226

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e5627601f7bc306fba54d5efe0b4a5b86fc43d991a0e833aa702344abd3837f7
Instruction ID: 958bcaf217f4680347e7dd014e3fadae4a3257a17df02c00f5f60790e44d5fae
Opcode Fuzzy Hash: e5627601f7bc306fba54d5efe0b4a5b86fc43d991a0e833aa702344abd3837f7
Instruction Fuzzy Hash: 9311C6B1240248BFEF215E69CC46FAB3BACEF85B64F014525FA95E6090D671D8119B20

Function 01012F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Part of subcall function 01012DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01012DC5
Part of subcall function 01012DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01012DD6
Part of subcall function 01012DA7: GetCurrentThreadId.KERNEL32 ref: 01012DDD
Part of subcall function 01012DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01012DE4

GetFocus.USER32 ref: 01012F78

Part of subcall function 01012DEE: GetParent.USER32(00000000), ref: 01012DF9

GetClassNameW.USER32(?,?,00000100), ref: 01012FC3
EnumChildWindows.USER32(?,0101303B), ref: 01012FEB

Strings

%s%d, xrefs: 01012FFF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d34b03f4ddd38ce0f2934c7a6b34c4cff5cbbd23e8ad8b7ab4711530908e29dd
Instruction ID: c09bf308316d8b5297480d0366c46a0ed10a8768a1400d9d3473b54b926863da
Opcode Fuzzy Hash: d34b03f4ddd38ce0f2934c7a6b34c4cff5cbbd23e8ad8b7ab4711530908e29dd
Instruction Fuzzy Hash: ED1102B1200206ABDF157F60CDD5EEE37AAAF94314F008079F9499B146DE3898498B30

Function 01045882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010458EE
DrawMenuBar.USER32(?), ref: 010458FD

Strings

0, xrefs: 0104588F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 7fcc3ea230175804ec70ac780bb9d2e61fc23a3f388a2253a19608a69b6d998f
Instruction ID: 5a6734fd2c850cd529b4be9f222ab3ad5e7d44e0371475032c14e4c6fb19c20f
Opcode Fuzzy Hash: 7fcc3ea230175804ec70ac780bb9d2e61fc23a3f388a2253a19608a69b6d998f
Instruction Fuzzy Hash: AC01C4B5500208AFDB219F11DC85FAFBBB5FF45760F0080A9E889D6151DB348A84DF20

Function 0101007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eac5262054d4140d629a114f2988ba1a1ee578ac0b12914bf1a71af4d136477
Instruction ID: a8e81caea487fb675cff4eb2d1bdcaf0a8b7b7521d4ea73b4633401e8e067d7a
Opcode Fuzzy Hash: 4eac5262054d4140d629a114f2988ba1a1ee578ac0b12914bf1a71af4d136477
Instruction Fuzzy Hash: 7BC16E75A0020AEFDB15CF98C884AAEBBB9FF48704F108598F585EB259D735DD81CB90

Function 00FE3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FE3F0B
__alldvrm.LIBCMT ref: 00FE410C
__alldvrm.LIBCMT ref: 00FE412E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 4620457575876801546dae63dc0ce482d5d241cd2b6a8a349c126c7b26911693
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 2CA14872D003C69FDB16CF19CC917AEBBE5EF65360F1841ADE6859B281C238A941E750

Function 0103342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01033459
CoUninitialize.OLE32 ref: 01033463
VariantInit.OLEAUT32(?), ref: 0103346E
VariantClear.OLEAUT32(?), ref: 0103371B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b267bfbecb30e3407ea25cd23a3fe2a4eb6f0b9523aea4cfeb00f4e7ffd4bab7
Instruction ID: b47de7f2640ecf556915c4286de35b4b32e01d8b074a56444c4a23162046184d
Opcode Fuzzy Hash: b267bfbecb30e3407ea25cd23a3fe2a4eb6f0b9523aea4cfeb00f4e7ffd4bab7
Instruction Fuzzy Hash: 5BA158756043019FC710EF29C985A6ABBE9FF88314F088859F98A9B365DB34ED01DF91

Function 01010436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0104FC08,?), ref: 010105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0104FC08,?), ref: 01010608
CLSIDFromProgID.OLE32(?,?,00000000,0104CC40,000000FF,?,00000000,00000800,00000000,?,0104FC08,?), ref: 0101062D
_memcmp.LIBVCRUNTIME ref: 0101064E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 04e0211498a4b9544115de93e035dd10f1675a7e2ae2bd0b3137b75bec1a06ef
Instruction ID: 56a93c2dce3a0e14600b1b415ef2fdaf2ab70371bc0f78b73757f652c5732d46
Opcode Fuzzy Hash: 04e0211498a4b9544115de93e035dd10f1675a7e2ae2bd0b3137b75bec1a06ef
Instruction Fuzzy Hash: BA816B71A00109EFCB04CF98C984EEEB7B9FF89315F204598F546AB254DB75AE46CB60

Function 00FF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF14C0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ae98dca3075db20f7c4b732631731ed6f27e71f82e66c1d63151498975e4c8f7
Instruction ID: 99ab527f01a214c5d07289e7ffff556c3aa8b94778f5ee37a2ebd17685d043f6
Opcode Fuzzy Hash: ae98dca3075db20f7c4b732631731ed6f27e71f82e66c1d63151498975e4c8f7
Instruction Fuzzy Hash: 55412E3190010CEBDB25EBBD9C45BBE3AA5FF82370F184226FA19D72B1E67848417671

Function 01046278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010462E2
ScreenToClient.USER32(?,?), ref: 01046315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01046382

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c20b94b6614d0da832ba0c83e8e90cbf9d66211990ffda35cf788354e1c388c7
Instruction ID: 79285265417ea4916b45cbdace78ed3153d592bce836a5c825349521d59118b4
Opcode Fuzzy Hash: c20b94b6614d0da832ba0c83e8e90cbf9d66211990ffda35cf788354e1c388c7
Instruction Fuzzy Hash: C3516CB4A00249AFDF21CF58D9C09AE7BF5FF46321F1081A9F8A497291E732E941CB50

Function 01031AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01031AFD
WSAGetLastError.WSOCK32 ref: 01031B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01031B8A
WSAGetLastError.WSOCK32 ref: 01031B94

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3057b747991c559f7e92ef982296823cd0dad03e82254b7de8495265eca71bbc
Instruction ID: 150e860d5e72b01577d05994718fd33d395a1b71a1b93c2a08d58427169ce829
Opcode Fuzzy Hash: 3057b747991c559f7e92ef982296823cd0dad03e82254b7de8495265eca71bbc
Instruction Fuzzy Hash: B141B574600200AFE724EF24C986F6A77E5AB88718F54848CF6569F3C2D776DD428B90

Function 00FEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93ad44a00cf5539fd30b2c3f9cfd030b211995acee0815873480672aa63fb45
Instruction ID: 7364e56d005ffaf384055906ff64f347bdaeb8e2101a459b7825833e21f6520e
Opcode Fuzzy Hash: d93ad44a00cf5539fd30b2c3f9cfd030b211995acee0815873480672aa63fb45
Instruction Fuzzy Hash: 80410872A00344AFD724DF79CC41B6BBBA9EF84720F10466EF541DB2D1D775A9019790

Function 010256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01025783
GetLastError.KERNEL32(?,00000000), ref: 010257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010257FA

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b2c2fe7d306032fbbacdbe490bcf3fcd43035e25270ebb8f84b8e529418cd1ec
Instruction ID: 9388bbfd40493786cf662a955bffa6ce2745bf589e8e4cc557b9087d86a1b93b
Opcode Fuzzy Hash: b2c2fe7d306032fbbacdbe490bcf3fcd43035e25270ebb8f84b8e529418cd1ec
Instruction Fuzzy Hash: 8A412E39600610DFCB21EF15C945A9EBBE1AF89310B18C488E84A6B366CB79FD01DF91

Function 00FED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FD6D71,00000000,00000000,00FD82D9,?,00FD82D9,?,00000001,00FD6D71,8BE85006,00000001,00FD82D9,00FD82D9), ref: 00FED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FED9AB
__freea.LIBCMT ref: 00FED9B4

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 94a991a642e6b2a7ec06daf26045c92a129bdf94cddb13c5340356f2284f0cec
Instruction ID: 5a49a558e5e386194533a3d4bee53ca792c7ae9909a4cd243a28b9fbb5aa74e6
Opcode Fuzzy Hash: 94a991a642e6b2a7ec06daf26045c92a129bdf94cddb13c5340356f2284f0cec
Instruction Fuzzy Hash: 8631E172A0124AABDF24DF66DC85EAE7BA5EF41320F050169FC04D7251EB39DD50EBA0

Function 0101AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0101AAAC
SetKeyboardState.USER32(00000080), ref: 0101AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0101AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0101AB88

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a8f4b4976fe5ca8ede02cf6095f2f095b7cd8c89de47958ad8f4e176aa0a642
Instruction ID: 82438d705b732f435273dc3054cb474003931344b6ca6c1555761d189d8c25cc
Opcode Fuzzy Hash: 9a8f4b4976fe5ca8ede02cf6095f2f095b7cd8c89de47958ad8f4e176aa0a642
Instruction Fuzzy Hash: 2E310470B422C8EEFF318A688884BFA7BE6BB44310F04465AE1C1531DAD37D85818761

Function 010452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01045352
GetWindowLongW.USER32(?,000000F0), ref: 01045375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01045382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010453A8

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b62bbd4c9339bcee74e31be0631084274277284ad173aa5ac2b4492d56eec3e6
Instruction ID: eb94f9d90c45010c303c50ba52f27824ef2cc4015f6907e0ef1d25c05e9278b1
Opcode Fuzzy Hash: b62bbd4c9339bcee74e31be0631084274277284ad173aa5ac2b4492d56eec3e6
Instruction Fuzzy Hash: FA31C2B4A55208FFFB749E18CCC5BE83BE5AB05352F48C1A1FAD0961D1C7B5A980DB42

Function 01047674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0104769A
GetWindowRect.USER32(?,?), ref: 01047710
PtInRect.USER32(?,?,01048B89), ref: 01047720
MessageBeep.USER32(00000000), ref: 0104778C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7cb9f41c74c48703214f24d77f69ddef017c759e480b77b2aa8737a93e4ad935
Instruction ID: fcb2ec6af474d8d1b0997b629d7b686f83147506a2630ba21a1bacf3804dc641
Opcode Fuzzy Hash: 7cb9f41c74c48703214f24d77f69ddef017c759e480b77b2aa8737a93e4ad935
Instruction Fuzzy Hash: 3041BCB8601215EFDB22CF58C5C4EAC7BF5BF48310F4540B8E9D49B255C336A942CB90

Function 010416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010416EB

Part of subcall function 01013A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013A57
Part of subcall function 01013A3D: GetCurrentThreadId.KERNEL32 ref: 01013A5E
Part of subcall function 01013A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010125B3), ref: 01013A65

GetCaretPos.USER32(?), ref: 010416FF
ClientToScreen.USER32(00000000,?), ref: 0104174C
GetForegroundWindow.USER32 ref: 01041752

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2037f74f3ad0f27b10ad1be95344ceb2ec61ed357ec6709c98d60c0a70662d5f
Instruction ID: 5606cfb086b00b146c7f6ed94655590b738e139d319286c86506e7e9c0568937
Opcode Fuzzy Hash: 2037f74f3ad0f27b10ad1be95344ceb2ec61ed357ec6709c98d60c0a70662d5f
Instruction Fuzzy Hash: CD313EB5D00249AFD700EFAAC9C18EEBBF9FF48204B5480AAE455E7201D7359E45CFA0

Function 0101DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

_wcslen.LIBCMT ref: 0101DFCB
_wcslen.LIBCMT ref: 0101DFE2
_wcslen.LIBCMT ref: 0101E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0101E018

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 62ddd963b4266442f97e143a516d5da4aa9d9e1a416a790303682d2127316392
Instruction ID: ef2189e71364b919d3f8aa5cbd5b7277b2e09bd8aa5425f7179392e54f6a4728
Opcode Fuzzy Hash: 62ddd963b4266442f97e143a516d5da4aa9d9e1a416a790303682d2127316392
Instruction Fuzzy Hash: CF21D371900214AFCB21AFA8CD81BAEB7F9EF45750F1440A9F944BB346D6789E408BA1

Function 0101D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0101D501
Process32FirstW.KERNEL32(00000000,?), ref: 0101D50F
Process32NextW.KERNEL32(00000000,?), ref: 0101D52F
CloseHandle.KERNEL32(00000000), ref: 0101D5DC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 202b349c0513475c10f6b59d595c0e233a670b2a7c5d94878425228b37e09d69
Instruction ID: 89fecb4b90579034d8db62ae748eb383cd3a83790058b4d3d1ea56d69c560e90
Opcode Fuzzy Hash: 202b349c0513475c10f6b59d595c0e233a670b2a7c5d94878425228b37e09d69
Instruction Fuzzy Hash: 8B31BF711083009FD311EF94CC85AAFBBF8EF99354F14092DF6C1821A1EB799A48DB92

Function 01048FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

GetCursorPos.USER32(?), ref: 01049001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01007711,?,?,?,?,?), ref: 01049016
GetCursorPos.USER32(?), ref: 0104905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01007711,?,?,?), ref: 01049094

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c0f1b46333ed426166830e1ca267e56dead5539b695b8f7461735db36284f235
Instruction ID: adaf7265b764cb6a8008fd9fddd03fb1add30408b0d6ec8a3ed4912f96f0528c
Opcode Fuzzy Hash: c0f1b46333ed426166830e1ca267e56dead5539b695b8f7461735db36284f235
Instruction Fuzzy Hash: 04219C75601018AFEB25DF98C889EEF3BB9EF89350F0040B9FA8547251C7369990DB60

Function 0101D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0104CB68), ref: 0101D2FB
GetLastError.KERNEL32 ref: 0101D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0101D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0104CB68), ref: 0101D376

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 957467fca28ded74a9180eee71b82353d7e2ffb8fb0c29123e37560ce07ec9fa
Instruction ID: b93667d6e3b2e1bd46ebc088e74a48e2f9ed4c8bafa1f0fc8c31d34f093bbfbb
Opcode Fuzzy Hash: 957467fca28ded74a9180eee71b82353d7e2ffb8fb0c29123e37560ce07ec9fa
Instruction Fuzzy Hash: 5321E2745093019F9310DF69CA848AE7BE8EF46328F108A5DF4D9C72A5DB39D906CF92

Function 01011571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01011014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0101102A
Part of subcall function 01011014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01011036
Part of subcall function 01011014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011045
Part of subcall function 01011014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0101104C
Part of subcall function 01011014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010115BE
_memcmp.LIBVCRUNTIME ref: 010115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01011617
HeapFree.KERNEL32(00000000), ref: 0101161E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a212f10f25efe7f12defa05f8b3d16c20959f739b69047da569d19af422ade64
Instruction ID: 5cb2f9a44c707dfe54f58c2efb17cf9c7e063f85f212fa5e39b0436ed092f43a
Opcode Fuzzy Hash: a212f10f25efe7f12defa05f8b3d16c20959f739b69047da569d19af422ade64
Instruction Fuzzy Hash: 46218E71E01109EFDB14CFA8CA44BEEBBF8EF44354F084899E681A7244D739AA05CB50

Function 01042782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0104280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01042824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01042832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01042840

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 47a70a56d30a8cf8ac5c1edbd72fc7cd226279f1c8b82813d3dc33de5eb7dc50
Instruction ID: 58e8991702c93cec98a820a96cde8684f3b993a2571a995deb592f9085b75e9d
Opcode Fuzzy Hash: 47a70a56d30a8cf8ac5c1edbd72fc7cd226279f1c8b82813d3dc33de5eb7dc50
Instruction Fuzzy Hash: A321F475305111AFE714DB24D884FAA7B95AF45324F1481A8F4568B6D2C775EC82CBD0

Function 0102CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0102CE89
GetLastError.KERNEL32(?,00000000), ref: 0102CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0102CEFE

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 79a352e2c134d5483603dff63958b8d209855d3a566b0b8c0e5994b8183d4f70
Instruction ID: cc9414fad9814a1771411ae931ea3d106ddf88c4f405c1849994d0ffa752215a
Opcode Fuzzy Hash: 79a352e2c134d5483603dff63958b8d209855d3a566b0b8c0e5994b8183d4f70
Instruction Fuzzy Hash: C421C1B15007159BFB70DF69CB84BABBBFCEB40358F10445EE686D2141E775EA048B50

Function 010178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01018D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0101790A,?,000000FF,?,01018754,00000000,?,0000001C,?,?), ref: 01018D8C
Part of subcall function 01018D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01018DB2
Part of subcall function 01018D7D: lstrcmpiW.KERNEL32(00000000,?,0101790A,?,000000FF,?,01018754,00000000,?,0000001C,?,?), ref: 01018DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01018754,00000000,?,0000001C,?,?,00000000), ref: 01017923
lstrcpyW.KERNEL32(00000000,?), ref: 01017949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01018754,00000000,?,0000001C,?,?,00000000), ref: 01017984

Strings

cdecl, xrefs: 0101797B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 21cece0e02deb29616c36987f2db31694bc72495975478dc23f92e426821de1c
Instruction ID: 9a839eb442920e9571a91052508ef650111ceacbdd63bcbd0a5d75d7e81b7271
Opcode Fuzzy Hash: 21cece0e02deb29616c36987f2db31694bc72495975478dc23f92e426821de1c
Instruction Fuzzy Hash: 7C112C3A200302ABDB155F38C844D7B77E6FF85350B40402EF982C7268EB359905C791

Function 01047CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01047D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01047D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01047D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0102B7AD,00000000), ref: 01047D6B

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4c76dcb85b4b6174bf561ba82a47f172c0658467204cdb7c20839ea58713721d
Instruction ID: af3a6a7a87c682408de106786b74608be5ca684958129637e1f4bd4cc2aaf80d
Opcode Fuzzy Hash: 4c76dcb85b4b6174bf561ba82a47f172c0658467204cdb7c20839ea58713721d
Instruction Fuzzy Hash: D011D2B2215615AFDB20AF2CCC84A6A3BA5BF45360B118378F9F9C72E0D7359951CB80

Function 01045660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010456BB
_wcslen.LIBCMT ref: 010456CD
_wcslen.LIBCMT ref: 010456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01045816

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8447211197d05930f6343d3a7e19f4261ef3e06daadd59ee97ddabf58aa7b675
Instruction ID: 3d93d3c10a826dc1f7eab27f604f2842976d09a44b879efd3d851b271cbdbf66
Opcode Fuzzy Hash: 8447211197d05930f6343d3a7e19f4261ef3e06daadd59ee97ddabf58aa7b675
Instruction Fuzzy Hash: 991103F5600208A7EB20DF65DCC1AEE3BACEF05364B00407AFA85DA081EB74D640CB60

Function 00FE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0d392158d77651cf1b205dca71212903d88269a790de22cc535a8435df1eac
Instruction ID: 17f00632a999bc74f516eff29feabdc87afc1d49eb753d924f7410cf98f10681
Opcode Fuzzy Hash: 0a0d392158d77651cf1b205dca71212903d88269a790de22cc535a8435df1eac
Instruction Fuzzy Hash: 0E01A2B260A69A3EF731257B6CC1F2B761CEF813B8B310329F521511D6DB798C047160

Function 01011A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01011A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01011A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01011A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01011A8A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1b84d2acb9ff0eab1b70a3c6dbf53dbaba303f399193ccae443ac119eb4dd144
Instruction ID: 95a2f854a42774ff36aaf73af5f147cb1b2ba800843af3e84a3f9763a182d845
Opcode Fuzzy Hash: 1b84d2acb9ff0eab1b70a3c6dbf53dbaba303f399193ccae443ac119eb4dd144
Instruction Fuzzy Hash: 0211397AD00219FFEB11DBA8C985FADBBB8EB08754F200091EA00B7294D6716E50DB94

Function 0101E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0101E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0101E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0101E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0101E24D

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 23e73bea376fcfacf3e4500a3d84c441559e6555f49d6e3ef0150299fdf0a41c
Instruction ID: 89eb12cb8b11317a76563c4d8bd96fded07c78d1ff5e1df41905b60ad14040e2
Opcode Fuzzy Hash: 23e73bea376fcfacf3e4500a3d84c441559e6555f49d6e3ef0150299fdf0a41c
Instruction Fuzzy Hash: 05112BB6A04254BFD7229FACDD45ADE7FACAF46310F048255FD94D3285D2B9C90087A0

Function 00FDD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FDCFF9,00000000,00000004,00000000), ref: 00FDD218
GetLastError.KERNEL32 ref: 00FDD224
__dosmaperr.LIBCMT ref: 00FDD22B
ResumeThread.KERNEL32(00000000), ref: 00FDD249

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 0a8b53a89214ba34563f83cb974e2d6def4b953a01c376d0b01a32b994c97749
Instruction ID: 224035662d669e266da431c094b1481719d8a2d8e96cb0741bbd95ceedb361a1
Opcode Fuzzy Hash: 0a8b53a89214ba34563f83cb974e2d6def4b953a01c376d0b01a32b994c97749
Instruction Fuzzy Hash: 9801F9768051047BD7216BA5DC09BAE7B6EDF82332F18031AF925923D0DB75C905E7A0

Function 01049EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

GetClientRect.USER32(?,?), ref: 01049F31
GetCursorPos.USER32(?), ref: 01049F3B
ScreenToClient.USER32(?,?), ref: 01049F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 01049F7A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c786755def7615e2b63866dfb0826bec2d4434994848373119d71d7f169ab9f7
Instruction ID: 4d6c329f9aeff2934df72fdfba6db77abfc51dfa62c7e77f5878a01104d6f0a0
Opcode Fuzzy Hash: c786755def7615e2b63866dfb0826bec2d4434994848373119d71d7f169ab9f7
Instruction Fuzzy Hash: 4E114CB550111AFBDB10DF58D9859EE77B8FF49315F0004A5F981E3140D735BA82CBA1

Function 00FB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB604C
GetStockObject.GDI32(00000011), ref: 00FB6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB606A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0e7ce88681db281fd9832318248699f7c09521648574f548000558d0a9d94f3d
Instruction ID: 7ee76662f6cbfd8d993508317fdef340f57d3a34c964abbbaa879b2c549e282d
Opcode Fuzzy Hash: 0e7ce88681db281fd9832318248699f7c09521648574f548000558d0a9d94f3d
Instruction Fuzzy Hash: 771161B3502548BFEF229F969D44EFA7B69FF093A4F040115FA5492110D73A9C60EF90

Function 00FD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FD3B56

Part of subcall function 00FD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FD3AD2
Part of subcall function 00FD3AA3: ___AdjustPointer.LIBCMT ref: 00FD3AED

_UnwindNestedFrames.LIBCMT ref: 00FD3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FD3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FD3BA4

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f0edf08cb407e4859df5f797cf20c300daa63f414c5de571fc7dfd6a7705e908
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 52012D32500148BBDF126F95CC46DEB3B6AEF88754F08401AFE4856221C736E961EBA1

Function 00FE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FB13C6,00000000,00000000,?,00FE301A,00FB13C6,00000000,00000000,00000000,?,00FE328B,00000006,FlsSetValue), ref: 00FE30A5
GetLastError.KERNEL32(?,00FE301A,00FB13C6,00000000,00000000,00000000,?,00FE328B,00000006,FlsSetValue,01052290,FlsSetValue,00000000,00000364,?,00FE2E46), ref: 00FE30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FE301A,00FB13C6,00000000,00000000,00000000,?,00FE328B,00000006,FlsSetValue,01052290,FlsSetValue,00000000), ref: 00FE30BF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bfe36360524650c3076d9d44eb17f50a828a72c02d85b081afce90e426ef3144
Instruction ID: 3011afab7b876b71ba6e7145b7771c9c957536b63e678d0e224712eeb2c59fc4
Opcode Fuzzy Hash: bfe36360524650c3076d9d44eb17f50a828a72c02d85b081afce90e426ef3144
Instruction Fuzzy Hash: 44012B76702262ABDB318A7B9D8CA677B98AF45B75B200620FB45E3144C736D901D7E0

Function 01017464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0101747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01017497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010174CA

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6722914d0fdf05ae64a152903ffaa93683ce6378fa169d1b74fc13dbc92f3ce1
Instruction ID: 712a0ae8211ceec448b087787fa7486ad2332877b96042009056c62e4e498951
Opcode Fuzzy Hash: 6722914d0fdf05ae64a152903ffaa93683ce6378fa169d1b74fc13dbc92f3ce1
Instruction Fuzzy Hash: 1311A1B52423009BF7308F58DE48B967FFCEB40B00F008569EA96D6155DF79E904CB50

Function 01047E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01047E33
ScreenToClient.USER32(?,?), ref: 01047E4B
ScreenToClient.USER32(?,?), ref: 01047E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01047E8A

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 31613c07ee36ed3c8e52968d99dce78dfefb09a352d85d32f092162f05b3c90b
Instruction ID: 20bf2ed327d0a04511b52a4fbc04ed5020a0930bcaa6af1e5e7b796aba22ab54
Opcode Fuzzy Hash: 31613c07ee36ed3c8e52968d99dce78dfefb09a352d85d32f092162f05b3c90b
Instruction Fuzzy Hash: 181180B9D0020AAFDB51CFA8C584AEEBBF9FF08310F108066E951E3214D735AA54CF90

Function 01012DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01012DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01012DD6
GetCurrentThreadId.KERNEL32 ref: 01012DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01012DE4

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 784a6bc2d38f3e505bfcbcbfa28627b810f0e1ce171b2490000b996d1d2d7fd2
Instruction ID: 7fb38b95315b62ce6a25278acd260c9f15f0784aa1f0863e9d20391e360a60dd
Opcode Fuzzy Hash: 784a6bc2d38f3e505bfcbcbfa28627b810f0e1ce171b2490000b996d1d2d7fd2
Instruction Fuzzy Hash: EDE092B52022287BE7302BB6DE4DFEB3E6CEF47BA1F504015F245D10849AAAD440C7B0

Function 01048863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC9693
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96A2
Part of subcall function 00FC9639: BeginPath.GDI32(?), ref: 00FC96B9
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01048887
LineTo.GDI32(?,?,?), ref: 01048894
EndPath.GDI32(?), ref: 010488A4
StrokePath.GDI32(?), ref: 010488B2

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c1e001fb0c2e9ff399bfba9f80a5d87d0a4b60113d5ca1e8fb4cf920377de1f5
Instruction ID: 9b220b6bcb86f9099422d7b023e196a032713acefdf5aabc2e42c49ed7f7ca50
Opcode Fuzzy Hash: c1e001fb0c2e9ff399bfba9f80a5d87d0a4b60113d5ca1e8fb4cf920377de1f5
Instruction Fuzzy Hash: E3F09A3A006258BBFB221E94AE4AFCE3E59AF06310F008104FA81610D5C3BA1111DBA9

Function 00FC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FC98CC
SetTextColor.GDI32(?,?), ref: 00FC98D6
SetBkMode.GDI32(?,00000001), ref: 00FC98E9
GetStockObject.GDI32(00000005), ref: 00FC98F1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: cb9fa8452e26f173f1c2c939a5a900700d37a57ee5d4203fdd2f7247f8ac7f1a
Instruction ID: c2fc687cc1839e08fe3ed32557d9478eebb87903e06d3ceac991a4600208973c
Opcode Fuzzy Hash: cb9fa8452e26f173f1c2c939a5a900700d37a57ee5d4203fdd2f7247f8ac7f1a
Instruction Fuzzy Hash: 5DE06575641280ABFB315B78AA49BD83F60AB06336F048259F7F5540E4C7B642409B10

Function 0101162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01011634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010111D9), ref: 0101163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010111D9), ref: 01011648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010111D9), ref: 0101164F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bf55e993bb49c27173cda6243d5fc7e87d8f73b2dd94bd734240346322a278c7
Instruction ID: 9c521d2cded0ec42934e5f3b918ac1c44d1bf6096d42b0f8732f9de3863406fd
Opcode Fuzzy Hash: bf55e993bb49c27173cda6243d5fc7e87d8f73b2dd94bd734240346322a278c7
Instruction Fuzzy Hash: 0EE04FB5602211ABE7701BB49F4DB463BA9AF45792F144848F6C5C9088D67E40408B50

Function 0100D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0100D858
GetDC.USER32(00000000), ref: 0100D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0100D882
ReleaseDC.USER32(?), ref: 0100D8A3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 997f7d28c0dc56e3be2b7b4d296249d5349494549b9e2f3677804c1eeda72456
Instruction ID: 7dfe05cf41499458f910e43eb90b1027f938273680acac27d93ee9a698fef8ec
Opcode Fuzzy Hash: 997f7d28c0dc56e3be2b7b4d296249d5349494549b9e2f3677804c1eeda72456
Instruction Fuzzy Hash: 28E01AB9801205EFEB619FE0D748A6DBBB5FB08310F108059F886E7244C73D9901AF50

Function 0100D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0100D86C
GetDC.USER32(00000000), ref: 0100D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0100D882
ReleaseDC.USER32(?), ref: 0100D8A3

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2ea62e0a516a67e57bc340ace9ee01c0de0d3ca8033557ff59e07c581227fc5f
Instruction ID: 1e5bae6236f86ffd2f36232a835b105f6f7d93434fe2f09f3c768157cb1faa1d
Opcode Fuzzy Hash: 2ea62e0a516a67e57bc340ace9ee01c0de0d3ca8033557ff59e07c581227fc5f
Instruction Fuzzy Hash: D7E01AB9801200EFDB609FA0D64866DBBB5BB08310B108048F886E7244C73D6901AF50

Function 01024D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01024ED4

Strings

LPT, xrefs: 01024DFB
*, xrefs: 01024E10

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: dd4e9efc3afad06ef722d7c109d215d867d3e9cc1143426084c72a58c345162c
Instruction ID: 7cdf273daea9bcae447d19b69b19399fbb198939ad3bf8dd84f63fcd0faa149c
Opcode Fuzzy Hash: dd4e9efc3afad06ef722d7c109d215d867d3e9cc1143426084c72a58c345162c
Instruction Fuzzy Hash: 25918F75A00214DFDB54DF58C884EAABBF1AF84304F1980D9E84A9F7A2C735ED85CB90

Function 00FDE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FDE30D

Strings

pow, xrefs: 00FDE2E5, 00FDE302

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f134f98ed10e371fd9fc16c70389214544497a6201d4b547d27bc357ed6c68ed
Instruction ID: cafb5e04ff3270b391f75c1728e7a02bced3ec772ca8f66805223828c61c0b49
Opcode Fuzzy Hash: f134f98ed10e371fd9fc16c70389214544497a6201d4b547d27bc357ed6c68ed
Instruction Fuzzy Hash: 25518E72E0C34296CB257615CD0137A3F99EF40761F3849AAE0D54A3DCEB398C85BB86

Function 00FCE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00FCE1B1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dcf6f54525e3142539cbe5a69f86cac69102e0d4a10b0bd73fe96b6ffcb71075
Instruction ID: 3edd4ee39237810f05895337463b6c5679352c9ce5e6c0ac2968024e1ab5f9e0
Opcode Fuzzy Hash: dcf6f54525e3142539cbe5a69f86cac69102e0d4a10b0bd73fe96b6ffcb71075
Instruction Fuzzy Hash: 96515575904206DFEB26DF28C482BFA7BE8FF55310F244499E8D5AB2C1D6389D42DB90

Function 00FCF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FCF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FCF2BB

Strings

@, xrefs: 00FCF2AF

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0372b86c89331aaabf5276ff6c28a27151a4127d0eb076354c8af833471d6474
Instruction ID: 7fd7e6c8f42972ba3d3ce65beed095ed43f6a675697c8cc5e9b24282fa0d1e28
Opcode Fuzzy Hash: 0372b86c89331aaabf5276ff6c28a27151a4127d0eb076354c8af833471d6474
Instruction Fuzzy Hash: 865135715087449BE320AF11DC86BABBBF8FBC4340F81885DF1D982195EB758529CB66

Function 01035745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010357E0
_wcslen.LIBCMT ref: 010357EC

Strings

CALLARGARRAY, xrefs: 010357E6, 010357EB

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f5a259588a0b37827ab2b904b3fd865aaff541ea3768818a9d813a08c02e4d48
Instruction ID: b098f5e39e94e942aa95494edb138d6ab7ea39e8eb7e00ca791adb89b0204792
Opcode Fuzzy Hash: f5a259588a0b37827ab2b904b3fd865aaff541ea3768818a9d813a08c02e4d48
Instruction Fuzzy Hash: E9419171E002099FCB14DFA9CD819FEBBF9FF89314F244069E545A7262E7749981CB90

Function 0102D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0102D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0102D13A

Strings

|, xrefs: 0102D10B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6ca9991b379de53b0e4eb36074bb446f9d4fe45891d207b55ec7935da8b87b5e
Instruction ID: e0019c57699598a293638c6328acad2b0947c171819f21f09deff9b517ad30a3
Opcode Fuzzy Hash: 6ca9991b379de53b0e4eb36074bb446f9d4fe45891d207b55ec7935da8b87b5e
Instruction Fuzzy Hash: 66313D71D00219ABDF15EFA5CC85AEEBFB9FF04300F100059F915A61A6E739AA06DF54

Function 0104356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01043621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0104365C

Strings

static, xrefs: 010435BC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: da2247e7f08db62596bfa3126f8680d37412c4d61c2630ee0f300bd0ee4dceba
Instruction ID: 6d475a59f8982aeb69edf6de220c8377928f181a23b73858de626a24d30437d9
Opcode Fuzzy Hash: da2247e7f08db62596bfa3126f8680d37412c4d61c2630ee0f300bd0ee4dceba
Instruction Fuzzy Hash: F3318FB1110205AFEB209F68DC80EFB73A9FF48720F009629F9A597280DA35A891D760

Function 01044537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0104461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01044634

Strings

', xrefs: 0104458E

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: aa00198675b307d6607b5b58c8b7e127cfea58215a2ace199a0083b30b5425f4
Instruction ID: ea18768fcd512b161ed392ba341ccdfab5b7a5356655e2ad9be889fffbf42fe7
Opcode Fuzzy Hash: aa00198675b307d6607b5b58c8b7e127cfea58215a2ace199a0083b30b5425f4
Instruction Fuzzy Hash: 5631E7B4A012099FDF14CFA9C981BDA7BB5FF49300F144169EA45EB342D771A945CF90

Function 010431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0104327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01043287

Strings

Combobox, xrefs: 01043249

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 200c155b4bc206c8d38844ec479a6be0a11d5026ba0e1ea332e469b72939ee31
Instruction ID: ad0b7931393ce360d692ba87ac5c5fa3b319c636ac1561cc2c1096f7d88a5b41
Opcode Fuzzy Hash: 200c155b4bc206c8d38844ec479a6be0a11d5026ba0e1ea332e469b72939ee31
Instruction Fuzzy Hash: D911D3B13002186FFF669E58DDC0EAB37AAFB483A4F105125F9949B291D6359C51C760

Function 01043710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB604C
Part of subcall function 00FB600E: GetStockObject.GDI32(00000011), ref: 00FB6060
Part of subcall function 00FB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB606A

GetWindowRect.USER32(00000000,?), ref: 0104377A
GetSysColor.USER32(00000012), ref: 01043794

Strings

static, xrefs: 01043757

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0f35c9e166a2fd3b898c64d08fef5ca6c910e4cf47d07af324689812f09a83ca
Instruction ID: 2925a9bbf282b9d938d0c4323a2529a4843772315d7e915a58d283bcc597f745
Opcode Fuzzy Hash: 0f35c9e166a2fd3b898c64d08fef5ca6c910e4cf47d07af324689812f09a83ca
Instruction Fuzzy Hash: 961129B2610209AFEB11DFA8CD85AEE7BF8FF08354F005925F995E6240D735E8519B50

Function 0102CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0102CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0102CDA6

Strings

<local>, xrefs: 0102CD66

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7ee318c9f011224a462de4186f81abbbdf056beb31e95336aaf7025794bcaf80
Instruction ID: ae9ddfe172740d6609660b3a3d91d62fac803114ff32405fe47b1ea2cf7d0f66
Opcode Fuzzy Hash: 7ee318c9f011224a462de4186f81abbbdf056beb31e95336aaf7025794bcaf80
Instruction Fuzzy Hash: A71129B12016317AF7746A668D84FFBBEACEF026A4F00425AF18983080D3759444C6F0

Function 01043429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010434BA

Strings

edit, xrefs: 0104348F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d64d1d6a7497d942d27a4fb730a824af6a50085e3db602d54615b2814f4892bf
Instruction ID: bfca55e158604147f04a1fc4312ef4a5eaa97aec9262e7aad242f36c8fd2c919
Opcode Fuzzy Hash: d64d1d6a7497d942d27a4fb730a824af6a50085e3db602d54615b2814f4892bf
Instruction Fuzzy Hash: 33119DB5100118ABEB624E68DC84AEA37AAFB85374F505324F9A09B1D4CB36EC519B50

Function 01016C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

CharUpperBuffW.USER32(?,?,?), ref: 01016CB6
_wcslen.LIBCMT ref: 01016CC2

Strings

STOP, xrefs: 01016CBC, 01016CC1

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a4fe00bbd13b2ab198b28aecdffc7d4605a521aef29b68b7f936df5c72e54be7
Instruction ID: 917215f809e8ee2e6122c0c8e6f0c747a623a5d9fa68a10e3f45da01c26873c2
Opcode Fuzzy Hash: a4fe00bbd13b2ab198b28aecdffc7d4605a521aef29b68b7f936df5c72e54be7
Instruction Fuzzy Hash: 95010432E0052A8BDB21AFBECC808BF3BE5EB61610B400564E99292189EBBBD440C750

Function 01011CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01011D4C

Strings

ComboBox, xrefs: 01011CEB
ListBox, xrefs: 01011D16

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1c7af217eac0e73027b912abfd712ed9ae3fa38b9602c0b87792ff2fcbe6b164
Instruction ID: 32e435c1f07aa18dc5fe9eb55b9d9eeaf3595c0cc6c2738553610f1ac90e6511
Opcode Fuzzy Hash: 1c7af217eac0e73027b912abfd712ed9ae3fa38b9602c0b87792ff2fcbe6b164
Instruction Fuzzy Hash: 72014C7560121DABDB08FBB5CD50CFE77A8FF16350B400509EAB25B3C4EA785408CB60

Function 01011BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01011C46

Strings

ComboBox, xrefs: 01011BE5
ListBox, xrefs: 01011C10

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7afec659a5cd123cc290d2293d930be074ba6298049439a72f0eddf89e890b8f
Instruction ID: 6165efef5180b51dbd4ac0fea15836bdf3945aaf224c26f7b8909480df1d4195
Opcode Fuzzy Hash: 7afec659a5cd123cc290d2293d930be074ba6298049439a72f0eddf89e890b8f
Instruction Fuzzy Hash: 04012BB5B4110D67DB08EBA1CE51DFF77E8AF11340F100019AA8667285EA78AA08CBB1

Function 01011C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01011CC8

Strings

ComboBox, xrefs: 01011C69
ListBox, xrefs: 01011C94

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 975a62dac21556eec96e9288fa94d8bdaf58b4b2ce9b7d373545023e9d515536
Instruction ID: c1ad5b0d4f0e6b1f44263db6f2c237cc70d356874218d33019c6a4938ebfcef8
Opcode Fuzzy Hash: 975a62dac21556eec96e9288fa94d8bdaf58b4b2ce9b7d373545023e9d515536
Instruction Fuzzy Hash: 88012BB5A0011D67DF08E7A5CF41AFF77E8AB11340F100015AA8667285EA789A08CBB1

Function 01011D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01011DD3

Strings

ComboBox, xrefs: 01011D75
ListBox, xrefs: 01011DA0

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cba937351d09c2026dc883df615f0a1f348062c228fddf87862e378388e86939
Instruction ID: dcbd0c7786c1755d43aec5a34d1b810eab704d969edbfa5b882e09ff6163b868
Opcode Fuzzy Hash: cba937351d09c2026dc883df615f0a1f348062c228fddf87862e378388e86939
Instruction Fuzzy Hash: 15F04970A0021967DB08F7A5CC81BFF77A8AB01350F400808BAA2672C4EA7855088760

Function 0103747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01037493
_wcslen.LIBCMT ref: 010374B9

Strings

3, 3, 16, 1, xrefs: 01037483

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9c3284a6ef4b2411c3b8476176b6d521bd165db01887e4f0255910b282d27005
Instruction ID: 8297262f460bb87fdb590bed396ba0e8a1f60b7a3bb2cdf9f320a1c3791ef4e5
Opcode Fuzzy Hash: 9c3284a6ef4b2411c3b8476176b6d521bd165db01887e4f0255910b282d27005
Instruction Fuzzy Hash: 67E02B42601320219271137F9CC197F7ACECFC9690714182BFAC5C2366EFA8ED9193A1

Function 01010B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01010B23

Strings

AutoIt, xrefs: 01010B17
Error allocating memory., xrefs: 01010B1C

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 77354623be6ddf8feb3a2540eb1d0236cd3420544ad6920b13b2d95089302ab2
Instruction ID: 9b1cb56fa469f093ec00c027b9238394a49b2bc485c47771c034107bc35486ce
Opcode Fuzzy Hash: 77354623be6ddf8feb3a2540eb1d0236cd3420544ad6920b13b2d95089302ab2
Instruction Fuzzy Hash: 9CE0D83128531837E2143795BE43FC97B859F05B10F10446EFBD4995C38EDA249016ED

Function 00FD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FCF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FD0D71,?,?,?,00FB100A), ref: 00FCF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00FB100A), ref: 00FD0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FB100A), ref: 00FD0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FD0D7F

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ffcd99318178deb79fa3f10f979363158bd7d8e1e8ac14d5402cf9f866113f29
Instruction ID: 287e5590bd4cd92a42f350f103faff0adc85ea85f5e68f0d9b88eb94430db404
Opcode Fuzzy Hash: ffcd99318178deb79fa3f10f979363158bd7d8e1e8ac14d5402cf9f866113f29
Instruction Fuzzy Hash: F7E06DB42003028BE3309FBEE6447467BE2AF04B45F04892EE4C6C7746DFB9E4449BA1

Function 01023017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0102302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 01023044

Strings

aut, xrefs: 01023038

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a58688428f20d6645818598147587777666f0d2b4a206942fd71469bffc7d844
Instruction ID: b2d4cd4b920d02d070e715df4994f445699993e8575fc3e2cad99d9419c6e2a8
Opcode Fuzzy Hash: a58688428f20d6645818598147587777666f0d2b4a206942fd71469bffc7d844
Instruction Fuzzy Hash: 9CD05BB550131477EB30A6959E4DFC73A6CD704650F0001517695D6085DAF59544CFD4

Function 0100D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0100D220

Strings

X64, xrefs: 0100D2A8
%.3d, xrefs: 0100D22B

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: efb62a7dd21a068c45ee7d5b603f3d386e082badc266c822c0e949d67702988d
Instruction ID: 8fa0ba30031847b6db04aec83a676cea4166f6851784b9e85f6344b870f29331
Opcode Fuzzy Hash: efb62a7dd21a068c45ee7d5b603f3d386e082badc266c822c0e949d67702988d
Instruction Fuzzy Hash: D2D05BB1C09119FADB5196D0CE4ADBDF37CFB68351F408466F98AD1080D738D5085B71

Function 01042322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0104232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0104233F

Part of subcall function 0101E97B: Sleep.KERNEL32 ref: 0101E9F3

Strings

Shell_TrayWnd, xrefs: 01042325

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9b89e946361f00e9ed57cf40ddaa3692c2cace36a57f856ed14207c38e74be1e
Instruction ID: 32397795d8b04a2d4ceec68485634b9bd868795e219de6bb996c7f3e34e506ef
Opcode Fuzzy Hash: 9b89e946361f00e9ed57cf40ddaa3692c2cace36a57f856ed14207c38e74be1e
Instruction Fuzzy Hash: 01D0A9BA791300B7F274A331DE4FFCABA14AB00B00F0049067786AA1C8C8B9A800CB44

Function 01042356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0104236C
PostMessageW.USER32(00000000), ref: 01042373

Part of subcall function 0101E97B: Sleep.KERNEL32 ref: 0101E9F3

Strings

Shell_TrayWnd, xrefs: 01042365

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eaa84d3d3a54044390a9704d3e21a2367a95b37ee712433847bc2d64939fece7
Instruction ID: 52b95bf0cd67160952cc00ef6553e13e915023421d384ee07c6b4cea5d83917c
Opcode Fuzzy Hash: eaa84d3d3a54044390a9704d3e21a2367a95b37ee712433847bc2d64939fece7
Instruction Fuzzy Hash: F1D0A9B67823007BF274A331DE4FFCAB614AB04B00F0049067782AA1C8C8B9A800CB48

Function 00FEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FEBE93
GetLastError.KERNEL32 ref: 00FEBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FEBEFC

Memory Dump Source

Source File: 00000000.00000002.1905297627.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1905282613.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905346912.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905390165.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1905405524.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 61d1cfbf43deb0224a729a8e4f0e90667d902f60060b95a83d566d8598b627ec
Instruction ID: 1ad55863ff90c7544acc9e5a208685640173b75b358b662453ef17f24cb3da64
Opcode Fuzzy Hash: 61d1cfbf43deb0224a729a8e4f0e90667d902f60060b95a83d566d8598b627ec
Instruction Fuzzy Hash: 6041E835A052C6AFDF218FA6CC44BBB7BA5EF41320F144169F959972A1DB318D00EB60

Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-650802130&timestamp=1720124401898 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=515=mNFovHPZa0gBr1dKYE1qKyi6WGpTXS-xl2fSRuNre9Bx_eHFeopW0PRQ79jU9Pvolr1lCO7eeX_y22blGxlpfiJXSDJHrHo8xc8058QXykag_5LoGkXi35BZEZUX6F0a8Ha_efzRNRcJy6YNWbbA2AJOWnVKONFvXhaWCDBY0l0
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=nxeS+otprgk5Bcy&MD=FeLCHCH7 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=nxeS+otprgk5Bcy&MD=FeLCHCH7 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: file.exe, 00000000.00000002.1905751957.000000000351A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899311418.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903036536.0000000003512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountL equals www.youtube.com (Youtube)
Source: chromecache_90.3.dr	String found in binary or memory: _.$w(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.$w(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.$w(_.ix(c))+"&hl="+_.$w(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.$w(m)+"/chromebook/termsofservice.html?languageCode="+_.$w(d)+"&regionCode="+_.$w(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded":"")+"?hl="+_.$w(d)+"&gl="+_.$w(c)+(g?"&color_scheme="+ equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1904153023.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1894857261.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountKk equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1905804272.000000000354E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903381525.0000000003547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1903555604.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account~fh~ equals www.youtube.com (Youtube)

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\9a540d1b-7348-4c8a-95a6-63efbd690371 (copy)

C:\Users\user\Downloads\6f4d0126-b89f-4a74-bbac-50c2eb2de7e2.tmp

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Static File Info

General

Windows Analysis Report
file.exe

Function 00FB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00FB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00FF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0101AB9C Relevance: 6.1, APIs: 4, Instructions: 103
keyboardwindowCOMMON

Function 00FB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00FF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00FB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00FB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00FB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
comCOMMON

Function 00FB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre